GeistHaus
log in · sign up

XZ Utils Backdoor - Schneier on Security

schneier.com

The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica: Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware...

3 pages link to this URL
Friday Links 24-10
Christof Damian Christof Damian

Heisenberg’s indeterminacy principle formula. Two weeks of links, which includes a collection from the xz debacle. I loved reading these, as this is a good combination of spy story and technology postmortem. If you want to read an overview, read the timeline post. Good podcasts this week: about the Heisenberg principle, and the silencing of climate protesters in the UK. Leadership Getting real with Employee Experience [Podcast] - two good interviews with people active in the area.

0 inbound links article en post environmenturbanismfriday linksleadershipengineeringfridaylinks
xz/liblzma Compromise Link Roundup
Shellsharks Michael Sass

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

2 inbound links article en infosec xz/liblzma Compromise Link Roundupshellsharksinfosecsupplychain
xz backdoor - Dmitry Kudryavtsev
Yield Code(); Dmitry Kudryavtsev

A malicious backdoor was discovered in xz library that implements LZMA compression. xz, among many other places, is used, indirectly, in sshd. My attempt to explain what happened.

1 inbound link article en Security CC BY-NC 4.0