Everything I Know About the XZ Backdoor

Just some thoughts by a guy you don't know.

CVE-2024-3094 is a malicious code vulnerability in versions 5.6.0 and 5.6.1 of XZ Utils, enabling an SSH authentication bypass in certain Linux distributions

The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica: Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware...

Popular Linux compression tool XZ Utils found with backdoor. Threat actors can remotely execute code on your machine, bypassing authentication.

Urgent security alerts issued as malicious code was found embedded in the XZ Utils data compression library used in many Linux distributions.

Malicious code was pushed to the libxz-utils project that introduced a backdoor in SSH. Here's how to find potentially vulnerable systems.

Secret backdoor found in XZ Utils compression library used by major Linux distros, like Fedora, Kali Linux, and openSUSE.

Managing insider threats when the whole world is an insider.

Learn how to securely upload Python packages to PyPI from GitLab CI/CD pipelines using a “Trusted Publisher” (and without API tokens). Continuously test the release process with TestPyPI on every push. Use GitLab (deploy) environments as an additional...

In other news: AT&T confirms 2019 data breach; Canonical switches to manual reviews after flood of scam apps; HP leaves Russia.

:)

Many discussions about open source dependencies and maintenance happened in the last month.Two posts caught my eye in the Rust ecosystem: Sudo-rs dependencie...

Collection of links to other valuable digital realms.

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it...

The past few days have seen the security world focused on the revelation of the xz/liblzma backdoor. For more background, see this early writeup of the issue, this GitHub Gist, this detailed timeli...

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

When I stumbled across a post that an encryption library offers a potential backdoor to SSH connectivity on Good Friday, my first thought was: why is it always on a Friday that these things drop? And then my second one: oh bugger, here goes my weekend. Now, I won’t go into the technical details, there are many, many, many, many better resources out there, but I can’t help thinking that this would/should force the software industry to think.

A poetry plugin for establishing chain of trust. Contribute to irgolic/vet development by creating an account on GitHub.

it's not quite xz but at least my grandma knows what samsung is

A backdoor compromising SSH server introduced in xz/liblzma 5.6.0 and 5.6.1 was reported today to oss-security by Andres Freund . Accordi...

These are personal opinions and should not be construed as thought leadership

Soylent green is people!

Homepage for Addison Crump

As you probably already heard, the xz package got compromised. The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.

xz-utils backdoor situation (CVE-2024-3094). GitHub Gist: instantly share code, notes, and snippets.

Firstyear's blog