undefined | Better HN

0 pointsjaromilrojo2y ago0 comments

This is another proof that systemd is an anti-pattern for security: with its crawling and ever growing web of dependencies, it extends the surface of vulnerability to orders of magnitude, and once embraced not even large distro communities can defend you from that.

A malware code injection in upstream xz-tools is a vector for remote exploitation of the ssh daemon due to a dependency on systemd for notifications and due to systemd's call to dlopen() liblzma library (CVE-2024-3094). The resulting build interferes with authentication in sshd via systemd.

0 comments

acdha2y ago

Please take the systemd trolling to Reddit. They likely targeted xz specifically because it’s so widely used but there are dozens of other libraries which are potential candidates for an attack on sshd, much less everything else which has a direct dependency unrelated to systemd (e.g. dpkg).

Rather than distracting, think about how the open source projects you use would handle an attack like this where someone volunteers to help a beleaguered maintainer and spends time helpfully taking on more responsibilities before trying to weaken something.

account422y ago

Those other libraries dependend on by sshd are hopefully more closely monitored. The upstream sshd developers probably did not even consider that liblzma could end up being loaded in the process.

Make excuses for systemd all you want but loading multiple additional libraries into crytical system deamons just to write a few bytes into a socket is inexcusable and directly enabled this attack vector.

jaromilrojoOP2y ago

You are distracting from facts with speculations and trolling FUD. I refer to what is known and has happened, you are speculating on what is not known.

1 more reply

geggo982y ago

Actually you have a point. A collection of shell scripts (like the classical init systems) have obviously a smaller attack surface. In this case the attacker used some integration code with systemd to attack the ssh daemon. So sshd without systemd integration is safe against this specific attack.

In general, I’m not convinced that systemd makes things less secure. I have the suspicion that the attacker would just have used a different vector, if there was no systemd integration. After all it looks like the attacker was also trying to integrate exploits in owner libraries, like zstd.

Still I would appreciate it, if systemd developers would find a better protection against supply chain attacks.

acdha2y ago

It’s also tricky to reason about risk: for example, ShellShock caused a bunch of vulnerabilities in things which used shell scripts and the classic SysV Init system was a factor in a ton of vulnerabilities over the years because not having a standard way to do things like drop privileges or namespace things, manage processes, difficulties around managing chroot, etc. meant that you had a bunch of people implementing code which ran with elevated privileges because it needed to do things like bind to a low network port and they either had vulnerabilities in the privileged part or messed up some detail. I think in general it’s been much better in the systemd era where so much of that is builtin but I have been happy to see them starting to trim some of the things like the compression format bindings and I expect this will spur more.

jaromilrojoOP2y ago

I really appreciate your tone and dialectic reasoning, thanks for your reply. And yes, as simple as it sounds, I believe that shell scripts help a lot to maintain mission critical tools. One hands-on example is https://dyne.org/software/tomb where I took this approach to replace whole disk encryption which is nowadays also dependent on systemd-cryptsetup.

1 more reply

saagarjha2y ago

This isn't Twitter you don't have to use hashtags

heptazoid2y ago

This isn't Xitter, you don't have to tell people how to write.

throwaway73562y ago

> systemd's call to dlopen() liblzma library (CVE-2024-3094)

That's technically wrong, but no surprise. Anti-systemd trolls usually don't understand technical details after all.

jaromilrojoOP2y ago

It is 10 and more years that I experience such ad-hominem attacks.

You are so quickly labeling an identifiable professional as troll, while hiding behind your throwaway identity, that I am confident readers will be able to discern.

Meanwhile let us be precise and add more facts https://github.com/systemd/systemd/pull/31550

Our community is swamped by people like you, so I will refrain from answering further provocations, believing I have provided enough details to back my assertion.

2 more replies

j / k navigate · click thread line to collapse

0 comments

acdha2y ago

account422y ago

Those other libraries dependend on by sshd are hopefully more closely monitored. The upstream sshd developers probably did not even consider that liblzma could end up being loaded in the process.

jaromilrojoOP2y ago

You are distracting from facts with speculations and trolling FUD. I refer to what is known and has happened, you are speculating on what is not known.

1 more reply

geggo982y ago

Still I would appreciate it, if systemd developers would find a better protection against supply chain attacks.

acdha2y ago

jaromilrojoOP2y ago

1 more reply

saagarjha2y ago

This isn't Twitter you don't have to use hashtags

heptazoid2y ago

This isn't Xitter, you don't have to tell people how to write.

throwaway73562y ago

> systemd's call to dlopen() liblzma library (CVE-2024-3094)

That's technically wrong, but no surprise. Anti-systemd trolls usually don't understand technical details after all.

jaromilrojoOP2y ago

It is 10 and more years that I experience such ad-hominem attacks.

You are so quickly labeling an identifiable professional as troll, while hiding behind your throwaway identity, that I am confident readers will be able to discern.

Meanwhile let us be precise and add more facts https://github.com/systemd/systemd/pull/31550

Our community is swamped by people like you, so I will refrain from answering further provocations, believing I have provided enough details to back my assertion.

2 more replies

j / k navigate · click thread line to collapse