XZ Utils Backdoor (opens in new tab)

(tukaani.org)

114 pointsspaam2y ago16 comments

16 comments

15 comments · 6 top-level

publius_0xf32y ago· 4 in thread

When all this is over and Collin is in the right state of mind, I'd appreciate if they could shed some light on the social engineering side of this exploit. i.e. the process by which the intruder introduced themselves, gained and exploited their trust, any warning signs or red flags, etc.

Their experience could make for a valuable lesson and prevent future occurrences.

hintymad2y ago

From what I read, it looks it was not really social engineering per se but the good old way of earning trust, just like any ordinary engineer: the intruder joined the project three years ago and started to contributed patches. He also made good suggestions on design changes. Eventually he became a committer because he consistently made value contributions to the project.

P.S., this does not look like an individual behavior. It's hard to imagine that an individual would spend three years just to plant a backdoor in sshd.

puffybuf2y ago

It looks like he made multiple sock puppet accounts talking to himself on the mailing lists: https://boehs.org/node/everything-i-know-about-the-xz-backdo...

He made a sock puppet asking debian to update the package in 'unstable'. (along with other package update requests so it wouldn't look suspicious).

em-bee2y ago

given how widespread sshd is, i'd think it is realistic because the payoff would just be worth it if successful. the whole thing is also complex enough that it would take a while to develop. the attacker starts learning the internals of xz and in the process they develop the skills to contribute patches. so development of the attack and gaining trust go hand in hand.

lamontcg2y ago

I mean that is still social engineering, it is just really long-game social engineering.

And IDK that we've entirely ruled out that Jia Tan didn't wind up being blackmailed or coerced or something -- although if they were really running sockpuppets to get themselves added to the project up front that is probably less likely.

Alifatisk2y ago· 3 in thread

What can one do after having this installed? What's the consequences for a machine with this installed but not connected to the WAN?

arthur2e52y ago

No known consequence, assuming...

(1) changing the RSA decrypt function in OpenSSH is all the code hidden in crc64 does: that's the only known behavior, but we don't know what the changed function does besides letting some authentication through, nor do we know if there are other things it does

(2) there's no malicious machine in your LAN exploiting the RSA decrypt to log onto your sshd: nobody has seen one yet, but it doesn't mean there's no such thing.

If you are not using a distro that does dpkg or rpm, or if your machine is not x86-64, you're free from the "code hidden in crc64", the one that targets sshd, CVE-2024-3094. Are there unknown backdoors? Who knows. Do we count the landlock sabotage as a backdoor?

It's hard to deal with unknowns. Assume the worst, maybe, but what even is the worst?

treffer2y ago

Well, I am skeptical about (2).

It is unclear what exploiting means. The backdoor is doing _something_ for 0.5s if RSA key exchange happens.

So even a valid login might trigger not yet known side effects. It might just tunnel commands over dns for example (DNS being a well known side effect of ssh anyway).

So "exploiting" might mean as little as "used ssh".

1 more reply

treffer2y ago

Assume that a backdoor was injected and activated, especially if you ever sshd into the machine.

The backdoor is not fully analyzed as of now. As such nothing can be said about the system besides "it is potentially compromised".

legobmw992y ago· 2 in thread

You really have to feel for the author. Stepping aside for personal reasons and having someone else take up the mantle of a project is supposed to be a success story of open source - I myself have been on both sides of that process before.

For it to turn out like this is incredibly disappointing

rurban2y ago

Well, at least it was detected pretty early, and is contained.

Extremely wicked backdoor, but he only lost the main maintainer and github. Github will be reactivated soon for him, so others can take over.

kzrdude2y ago

Is it that easy? I figured he'd face an uphill battle himself - people might not trust him either, by association, or by fear that his accounts have been compromised (and are now impersonating him.)

treffer2y ago

There has been a lot said to not throw shit at Lasse Collin. This post is reassuring.

It was said he is on an internet break at the moment, so I hope this doesn't ruin weeks for him. It's thankless enough to maintain something like xz.

wooque2y ago

How do we know this is real Lasse Collin and not the same person behind Jia Tan persona, who now tries to deescalate and make it look like original maintainer is back in charge?

cpach2y ago

Main thread here: https://news.ycombinator.com/item?id=39865810

j / k navigate · click thread line to collapse

16 comments

15 comments · 6 top-level

publius_0xf32y ago· 4 in thread

Their experience could make for a valuable lesson and prevent future occurrences.

hintymad2y ago

P.S., this does not look like an individual behavior. It's hard to imagine that an individual would spend three years just to plant a backdoor in sshd.

puffybuf2y ago

It looks like he made multiple sock puppet accounts talking to himself on the mailing lists: https://boehs.org/node/everything-i-know-about-the-xz-backdo...

He made a sock puppet asking debian to update the package in 'unstable'. (along with other package update requests so it wouldn't look suspicious).

em-bee2y ago

lamontcg2y ago

I mean that is still social engineering, it is just really long-game social engineering.

Alifatisk2y ago· 3 in thread

What can one do after having this installed? What's the consequences for a machine with this installed but not connected to the WAN?

arthur2e52y ago

No known consequence, assuming...

(2) there's no malicious machine in your LAN exploiting the RSA decrypt to log onto your sshd: nobody has seen one yet, but it doesn't mean there's no such thing.

It's hard to deal with unknowns. Assume the worst, maybe, but what even is the worst?

treffer2y ago

Well, I am skeptical about (2).

It is unclear what exploiting means. The backdoor is doing _something_ for 0.5s if RSA key exchange happens.

So even a valid login might trigger not yet known side effects. It might just tunnel commands over dns for example (DNS being a well known side effect of ssh anyway).

So "exploiting" might mean as little as "used ssh".

1 more reply

treffer2y ago

Assume that a backdoor was injected and activated, especially if you ever sshd into the machine.

The backdoor is not fully analyzed as of now. As such nothing can be said about the system besides "it is potentially compromised".

legobmw992y ago· 2 in thread

For it to turn out like this is incredibly disappointing

rurban2y ago

Well, at least it was detected pretty early, and is contained.

Extremely wicked backdoor, but he only lost the main maintainer and github. Github will be reactivated soon for him, so others can take over.

kzrdude2y ago

Is it that easy? I figured he'd face an uphill battle himself - people might not trust him either, by association, or by fear that his accounts have been compromised (and are now impersonating him.)

treffer2y ago

There has been a lot said to not throw shit at Lasse Collin. This post is reassuring.

It was said he is on an internet break at the moment, so I hope this doesn't ruin weeks for him. It's thankless enough to maintain something like xz.

wooque2y ago

How do we know this is real Lasse Collin and not the same person behind Jia Tan persona, who now tries to deescalate and make it look like original maintainer is back in charge?

cpach2y ago

Main thread here: https://news.ycombinator.com/item?id=39865810

j / k navigate · click thread line to collapse