XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable."

I think behavioral analysis could be promising. There's a lot of weird stuff this code does on startup that any reasonable Debian package on the average install should not be doing in a million years.

Games and proprietary software will sometimes ship with DRM protection layers that do insane things in the name of obfuscation, making it hard to distinguish from malware.

But (with only a couple exceptions) there's no reason for a binary or library in a Debian package to ever try to write the PLT outside of the normal mechanism, to try to overwrite symbols in other modules, to add LD audit hooks on startup, to try to resolve things manually by walking ELF structures, to do anti-debug tricks, or just to have any kind of obfuscation or packing that free software packaged for a distro is not supposed to have.

Some of these may be (much) more difficult to detect than others, some might not be realistic. But there are several plausible different ways a scanner could have detected something weird going on in memory during ssh startup.

No one wants a Linux antivirus. But I think everyone would benefit from throwing all the behavioral analysis we can come up with at new Debian package uploads. We're very lucky someone noticed this one, we may not have the same luck next time.

Dynamic linking was a mistake and should be eliminated

The real problem was doing expensive math for every connection. If it had relied on a cookie or some simpler-to-compute pre-filter, no one would have been the wiser.

If you think about it this is a data-providence problem though. The exploit was hidden in "test" code which gets included in release code by compiler flags.

Now, if there was a proper chain of accountability for data, then this wouldn't have been possible to hide the way it is - any amount of pre-processing resulting in the release tarball including derived products of "test" files would be suspicious.

The problem is we don't actually track data providence like this - no build system does. The most we do is <git hash in> -> <some deterministic bits out>. But we don't include the human readable data which explains how that transform happens at enough levels.

the call to system is obfuscated, static analysis wouldn't see it

I'm really surprised they did a call to system() rather than just implement a tiny bytecode interpreter.

A bytecode interpreter that can call syscalls can be just a few hundred bytes of code, and means you can avoid calling system() (whose calls might be logged), and avoid calling mprotect to make code executable (also something likely to raise security red flags).

The only downside of a bytecode interpreter is the whole of the rest of your malware needs to be compiled to your custom bytecode to get the benefits, and you will take a pretty big performance hit. Unless you're streaming the users webcam, that probably isn't an issue tho.

I’ve been building Packj [1] to detect malicious PyPI/NPM/Ruby/PHP/etc. dependencies using behavioral analysis. It uses static+dynamic code analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect bad actors (e.g., typo squatting).

1. https://github.com/ossillate-inc/packj

Maybe they didn't have time to test? They could have been scrambling to make it into timed releases such as Ubuntu 24.04 or Fedora 40.

Surely this is something the FBI should be involved with? Or some authority?

This was the backdoor we found. We found the backdoor with performance issues.

Whats more likely - that this is the only backdoor like this in linux, or that there are more out there and this is the one we happened to find?

I really hope someone is out there testing for all of this stuff in linux:

- Look for system() calls in compiled binaries and check all of them

- Look for uses of IFUNC - specifically when a library uses IFUNC to replace other functions in the resulting executable

- Make a list of all the binaries / libraries which don't landlock. Grep the sourcecode of all those projects and make sure none of them expect to be using landlock.

But seriously, we could have found ourselves with this in all stable repos: RHEL, Debian, Ubuntu, IoT devices 5 years from now and it would have been a much larger shit show.

Think about backdoors that are already present and will never be found out.

I suspect I could have used this exact attack against 10,000 random SSH servers spread all over the world, and not be detected.

Most people don't log TCP connections, and those that do don't go through their logs looking for odd certificates in ssh connections.

And no common logging at the ssh/pam level would have picked this up.

Your only chance is some sysadmin who has put 'tripwires' on certain syscalls like system(), fork() or mmap() looking for anything unusual.

Even then, they might detect the attack, yet have no chance at actually finding how the malicious code loaded itself.

That said, if you're not using it, it defeats the purpose.

Not if this was injected by a state actor. My experience with other examples of state actor interference in critical infrastructure, is that the exploit is not used. It’s there as a capability to be leveraged only in the context of military action.

Hmmh, brings up the question, if no exploit actually occurred, was a crime committed? Can't the authors claim that they were testing how quickly the community of a thousand eyes would react, you know, for science?

where no auditor ever looks

Well, software supply chains are a thing.

"where no auditor ever is paid to look" would be more correct.

That said, if you're not using it, it defeats the purpose.

Not always. Weapons of war are most useful when you don't have to actually use them, because others know that you have it. This exploit could be used sparingly to boost a reputation of a state-level actor. Of course, other parties wouldn't know about this particular exploit, but they would see your cyber capabilities in the rare occasions where you decided to use it.

The purpose would presumably be to use this about an hour before the amphibious assault on $WHEREVER begins

it enabled it in the first place

it took roughly two years including social engineering.

I'd say the same approach is much easier in a big software company.

How would this be possible? This backdoor works because lzma is loaded into sshd (by a roundabout method involving systemd). I don't think gcc or clang links lzma.

One idea may be to create a patched version of ld-linux itself with added sanity checks while the process loads.

For something much more heavy-handed, force the pages in sensitive sections to fault, either in the kernel or in a hypervisor. Then look at where the access is coming from in the page fault handler.

I don't think you can reliably differentiate a backdoor executing a command, and a legitimate user logged in with ssh running a command once the backdoor is already installed. But the way backdoors install themselves is where they really break the rules.

A very tight SELinux policy could catch sshd executing something that ain’t a shell but hardening to that degree would be extremely rare I assume.

Huh, ssh executes things that aren't shells all the time during normal operation. No? i.e. 'ssh myserver.lan cat /etc/fstab'

The situation certainly wouldn't be helped by the fact that this exploit targeted the systemd integration used by Debian and Red Hat. OpenSSH developers aren't likely to run that since they already rejected that patch for the increased attack surface. Hard to argue against, in retrospect. The attack also avoids activation under those conditions a profiler or debugger would run under.

Could you explain how SELinux could ever sandbox against RCE in sshd? Its purpose is to grant login shells to arbitrary users, after all.

With the right sandboxing techniques, SELinux and mitigations could prevent the attacker from doing anything with root permissions.

Please review this commit[0] where the sandbox detection was “improved”.

[0] https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2...

Doesn't matter. This is a supply chain attack, not a vulnerability arising from a bug. All sandboxing the certificate parsing code would have done is make the author of the backdoor do a little bit more work to hijack the necessarily un-sandboxed supervisor process.

Applying the usual exploit mitigations to supply chain attacks won't do much good.

What will? Kill distribution tarballs. Make every binary bit for bit reproducible from a known git hash. Minimize dependencies. Run whole programs with minimal privileges.

Oh, and finally support SHA2 in git to forever forestall some kind of preimage attack against a git commit hash.

Right, though if I'm understanding correctly, this is targeting openssl, not just sshd. So there's a larger set of circumstances where this could have been exploited. I'm not sure if it's yet been confirmed that this is confined only to sshd.

Another reason to adopt OpenBSD style pledge/unveil in Linux.

sshd is probably the softest target on most systems. It is generally expected (and setup by default) so that people can gain a root shell that provides unrestricted access.

sshd.service will typically score 9.6/10 for "systemd-analyze security sshd.service" where 10 is the worst score. When systemd starts a process, it does so by using systemd-nspawn to setup a (usually) restricted namespace and apply seccomp filters before the process is then executed. seccomp filters are inherited by child processes, which can then only further restrict privileges but not expand upon the inherited privileges. openssh-portable on Linux does apply seccomp filters to child processes but this is useless in this attack scenario because sshd is backdoored by the xz library, and the backdoored library can just disable/change those seccomp filters before sshd is executed.

sshd is particularly challenging to sandbox because if you were to restrict the namespace and apply strict seccomp filters via systemd-nspawn, a user gaining a root shell via sshd (or wanting to sudo/su as root) is then perhaps prevented from remotely debugging applications, accessing certain filesystems, interacting with network interfaces, etc depending on what level of sandboxing is applied from systemd-nspawn. This choice is highly user dependent and there are probably only limited sane defaults for someone who has already decided they want to use sshd. For example, sane defaults could include creating dedicated services with sandboxing tailored just for read-only sftp user filesystem access, a separate service for read/write sftp user filesystem access, sshd tunneling, unprivileged remote shell access, etc.

This is what PrivSep was supposed to do. sshd could fork an unprivileged and restricted process to do the signature validation, I suppose.

There's a reasonably high chance this was to target a specific machine, or perhaps a specific organization's set of machines. After that it could probably be sold off once whatever they were using it for was finished.

I doubt we'll ever know the intention unless the ABC's throw us a bone and tell us the results of their investigation (assuming they're not the ones behind it).

There aren’t a billion computers running ssh servers and the ones that do should not be exposed to the general internet. This is a stark reminder of why defense in depth matters.

Government organizations have many different teams. One might develop vulnerabilities while another runs operations with oversight for approving use of exploits and picking targets. Think bureaucracy with different project teams and some multi-layered management coordinating strategy at some level.

Private key. In cryptography we distinguish keys which are symmetric (needed by both parties and unavailable to everyone else) as "Secret" keys, with the pair of keys used in public key cryptography identified as the Private key (typically known only to one person/ system/ whatever) and Public key (known to anybody who cares)

Thus, in most of today's systems today your password is a secret. You know your password and so does the system authenticating you. In contrast the crucial key for a web site's HTTPS is private. Visitors don't know this key, the people issuing the certificate don't know it, only the site itself has the key.

I remember this by the lyrics to "The Fly" by the band U2, "They say a secret is something you tell one other person. So I'm telling you, child".

I understand that we may never see the secret knock but shouldn't we have the door and what's behind it now? Doesn't this mean that the code is quite literally too hard to figure out for a human being? It's not like he can send a full new executable binary that he simply executes, then we'd see that the door is e.g the exec() call. Honestly this attempt makes me think that the entire c/c++ language stack and ecosystem is the problem. All these software shenanigans should not be needed in a piece of software like openssh but it's possible because it's written in c/c++.

I could be wrong, buy my understanding is that it isn't even a door. It simply allows anyone that has a certain private key, to send a payload that the server will execute. This won't produce any audit of someone logging in, you won't see any session etc.

Any Linux with this installed would basically become a bot that can be taken over. Perhaps they could send a payload to make it DDoS another host, or payload to open a shell or payload that would install another backdoor with more functionality, and to draw attention away from this one.

In a way this is really responsible backdoor. In the end this is even less dangerous than most unreported 0-days collected by public and private actors. Absurdly, I would feel reasonably safe with the compromised versions. Somebody selling botnet host would never be so careful to limit collateral damage.

It looks like the exploit path calls system() on attacker supplied input, if the check passes. I don't think we need to go into more detail than "it does whatever the attacker wants to on your computer, as root".

This feels very targeted

So unless that key is leaked

But, just for replayability, we could "patch" the exploit with a known key and see what it does, don't we?

It would be really cool if in 20 years when we have quantum computers powerful enough we could see what this exploit does.

I don't understand yet where the "unreplayable" part comes from, but this isn't it.

It's not using RSA. It's hooking RSA. And the attacker's signature is Ed448, not RSA.

Yeah these types of security issues will be used by politicians to force hardware makers to lockdown hardware, embed software in chips.

The go fast startups habit of “import the world to make my company products” is a huge security issue IT workers ignore.

The only solution politics and big tech will chase is obsolete said job market by pulling more of the stack into locked down hardware, with updates only allowed to come from the gadget vendor.

It’s not that we can’t understand it, it’s just that work to understand it is ongoing.

What makes you say that? I haven't started reverse engineerinng it myself, but from all I have read, people who did have a very good understanding of what it does. They just can't use it themselves, because they would need to have the attacker's private key.

beyond the (presumably failed) login attempt

There is some evidence it's scrubbing logs so we might not even have that.

When someone logs into SSH and presents a signed SSH certificate as authentication, those hacked functions are called

So if I only use pubkey auth and ED25519, there's no risk?

Besides this, just to understand it better, if someone tries to login to your server with the attacker's certificate, the backdoor will disable any checks for it and allow the remote user to login as root (or any other arbitrary user) even if root login is disabled in sshd config?

So is the implication here that any system that allows SSH and contains this malicious code is vulnerable?

Thank you for the detailed write up. This made me think, why do we actually let sshd run as root? Would it be possible to only run a very unsophisticated ssh server as root that depending on the user specified in the incoming connection just coordinates that connection to the actual user and let the server run there? This could be so simplistic that a backdoor would more easily be detected.

They'd effectively have a skeleton key that only they could use (or sell) that

this looks more like state sponsored attack and it doesn't look like someone joining and at one point realizing they want to implement this backdoor.

The guy joined the project 2 years ago, developed a test framework (which he then used to hide binary of the backdoor in which appears that is complex and others are still figuring out how it works) then he gradually disabled various security checks before activating it.

Siblings saying "we don't know" haven't really groked the post I don't think.

The reason for saying "we don't know" is not that we don't understand what's detailed in TFA, but that the backdoor embeds a 88 kB object file into liblzma, and nobody has fully reverse engineered and understood all that code yet. There might be other things lurking in there.

We understand it completely. However, since determining the private key that corresponds to the public key embedded in the backdoor is practically infeasible, we can't actually exercise it. Someone could modify the code with a known ed448 private key and exercise it, but the point of having the PoC is to scan the internet and find vulnerable servers.

But at the end of the day, the vast majority of people just don't seek to actively harm others. Everything humans do relies on that assumption, and always has.

https://en.wikipedia.org/wiki/Normalcy_bias ?

It's symptomatic of the insane Silicon Valley vision that the world can and should be managed and controlled at every level of detail. Which is a "cure" that would be much worse than any disease it could possibly prevent.

What "cure" would you recommend?

Honestly this is why I think we should pay people for open source projects. It is a tragedy of the commons issues. All of us benefit a lot from these free software, and done for free. Pay doesn't exactly fix the problems directly, but they do decrease the risk. Pay means people can work on these full time instead of on the side. Pay means it is harder to bribe someone. Pay also makes the people contributing feel better and more like their work is meaningful. Importantly, pay signals to these people that we care about them. I think the big tech should pay. We know the truth is that they'll pass on the costs to us anyways. I'd also be happy to pay taxes but that's probably harder. I'm not sure what the best solution is and this is clearly only a part of a much larger problem, but I think it is very important that we actually talk about how much value OSS has. If we're going to talk about how money represents value of work, we can't just ignore how much value is generated from OSS and only talk about what's popular and well know. There are tons of critical infrastructure in every system you could think of (traditional engineering, politics, anything) that is unknown. We shouldn't just pay things that are popular. We should definitely pay things that are important. Maybe the conversation can be different when AI takes all the jobs (lol)

When you're taking a walk on a forest road, any car that comes your way could just run you over. Chances are the driver would never get caught. There is nothing you can do to protect yourself against it.

Sure you can. You can be more vigilant and careful when walking near traffic. So maybe don't have headphones on, and engage all your senses on the immediate threats around you. This won't guarantee that a car won't run you over, but it reduces the chances considerably to where you can possibly avoid it.

The same can be said about the xz situation. All the linters, CI checks and code reviews couldn't guarantee that this wouldn't happen, but they sure would lower the chances that it does. Having a defeatist attitude that nothing could be done to prevent it, and that therefore all these development practices are useless, is not helpful for when this happens again.

The major problem with the xz case was the fact it had 2 maintainers, one who was mostly absent, and the other who gradually gained control over the project and introduced the malicious code. No automated checks could've helped in this case, when there were no code reviews, and no oversight over what gets merged at all. But had there been some oversight and thorough review from at least one other developer, then the chances of this happening would be lower.

It's important to talk about probabilities here instead of absolute prevention, since it's possible that even in the strictest of environments, with many active contributors, malicious code could still theoretically be merged in. But without any of it, this approaches 100% (minus the probability of someone acting maliciously to begin with, having their account taken over, etc.).

Difference is that software backdoors can effect billions of people. That driver on the road can't effect too many without being caught.

In this case, had they been a bit more careful with performance, they could have effected millions of machines without being caught. There aren't many cases where a lone wolf can do so much damage outside of software.

This is a good take. But even in a forest, sometimes when tragedy strikes people do postmortems, question regulations and push for change.

Sometimes, it does seem like the internet incentivizes or makes everyone else accessible to a higher ratio of people who seem to harm than normal.

But at the end of the day, the vast majority of people just don't seek to actively harm others. Everything humans do relies on that assumption, and always has.

Wholeheartedly agree. Fundamentally, we all assume that people are operating with good will and establish trust with that as the foundation (granted to varying degrees depending on the culture, some are more trusting or skeptical than others).

It's also why building trust takes ages and destroying it only takes seconds, and why violations of trust at all are almost always scathing to our very soul.

We certainly can account for bad actors, and depending on what's at stake (eg: hijacking airliners) we do forego assuming good will. But taking that too far is a very uncomfortable world to live in, because it's counter to something very fundamental for humans and life.

The problem with xz wasn't a small community; it was no community. A single malicious actor got control of the project, and there was little oversight from anyone else.

So because of this a lot of other highly used software was importing and depending on unreviewed code. It's scary to think how common this is. The attack surface seems unmanageable. There need to be tighter policies around what dependencies are included, ensuring that they meet some kind of standard.

then strange behavior and commits that claim to do one thing but actually do something else, are more likely to be spotted earlier than later.

https://en.wikipedia.org/wiki/Underhanded_C_Contest

It's actually an art to writing code like that, but it's not impossible and will dodge cursory inspection. And it's possible to have plausible deniability in the way it is constructed.

I wonder how good automated LLM-based code reviews would be at picking up suspicious patterns in pull requests.

What exactly is a CLA going to do to a CCP operative (as appears to be the case with xz)? Do you think the party is going to extradite one of their state sponsored hacking groups because they got caught trying to implement a backdoor?

Or do you think they don’t have the resources to fake an identity?

CLA is not an ID check. It is to handover the rights for the code over to the project owners rather than doing any identity check.

I actually avoided installing Rust originally because I thought that install page was hijacked by an attacker or something.

Most languages don't have the prettiest install flows, but a random `curl | sh` is just lunacy if you're at all security conscious

yo dawg curl this shit and pipe it to sh so you can RCE while you bike shed someone’s unsafe block

Ahhh this takes me back to... a month ago...[0]

At least rust wraps function in main so you won't run a partial command, but still doesn't there aren't other dangers. I'm more surprised by how adamant people are about that there's no problem. You can see elsewhere in the thread that piping man still could (who knows!) pose a risk. Extra especially when you consider how trivial the fix is, especially when people are just copy pasting the command anyways...

It never ceases to amaze me how resistant people are to very easily solvable problems.

[0] https://news.ycombinator.com/item?id=39556047

It’s worse than that. Build.rs is in no way sandboxed which means you can inject all sorts of badness into downstream dependencies not to mention do things like steal crypto keys from developers. It’s really a sore spot for the Rust community (to be fair they’re not uniquely worse but that’s a fact poor standard to shoot for).

I am definitely not a lawyer so I have no claim to knowing what is or is not a crime. However, if backdooring SSH on a potentially wide scale doesn't trip afoul of laws then we need to seriously have a discussion about the modern world. I'd argue that investigating this as a crime is likely in the best interest of public safety and even (I hesitate to say this) national security considering the potential scale of this. Finally, I would say there is a distinction between writing vulnerable code and creating a backdoor with malicious intent. It appears (from the articles I have been reading so far) that this was malicious, not an accident or lack of skill. We will see over the next few days though as more experts get eyes on this.

It's not simply vulnerable code: it's an actual backdoor. That is malware distribution (without permission) and is therefore illegal.

What is constantly overlooked here on HN is that in legal terms, one of the most important things is intent. Commenters on HN always approach legal issues from a technical perspective but that is simply not how the judicial system works. Whether something is “technically X” or not is irrelevant, laws are usually written with the purpose of catching people based on their intent (malicious hacking), not merely on the technicalities (pentesters distributing examples).

Calling this backdoor "vulnerable code" is a gross mischaracterization.

This is closer to a large scale trojan horse, that does not have to be randomly discovered by a hacker to be exploited, but is readily available for privileged remote code execution by whoever have the private key to access this backdoor.

If CFAA doesn't get this guy behind bars then the CFAA is somehow even worse. Not only is it an overbroad and confusing law, it's also not broad enough to actually handcuff people who write malicious code.

I'd be surprised if the attacker didn't meet the criteria for mens rea.

In the UK, at least, unauthorised access to computer material under section 1 of the Computer Misuse Act 1990 - and I would also assume that it would also fall foul of sections 2 ("Unauthorised access with intent to commit or facilitate commission of further offences") and 3A ("Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA") as well.

Though proving jurisdiction would be tricky...

possible even some arm of the U.S. govt.

Possible. But why mention U.S. specifically? Is it more likely than Russia, Iran, China, France ... ?

To me it seems too clumsy to be USG. They seem to prefer back doors that are undetectable or hide in plain sight.

But it might be an NSA op designed to instigate a much needed serious examination of the supply chain.

Overcomplicated design, sloppy opsec and Eastern European time zone altogether sound more like an attempt to snatch some bitcoins by a small group of people in places.

I would have thought NSA would have hardware/firmware backdoor everywhere and wouldn't need this.

Like that spiderman meme, it's all the NSA

github retains an incredible amount of data to review. but if it is a state actor, they likely covered their tracks very well. when i found the original address of the person who hacked elon musk's twitter account it led to an amazon ec2 instance. that instance was bought with stolen financial information and accessed via several vpns and proxies. i would expect state actors to further obfuscate their tracks with shell companies and the like

Have to admit I've never understood why password auth is considered so much worse than using a cert - surely a decent password (long, random, etc) is for all practical purposes unguessable, and so you're either using a private RSA key that no-one can guess, or a password that no-one can guess, and then what's the difference? With the added inconvenience of having to pass around a certificate if you want to login to the same account from from multiple sources.

According to[1], the backdoor introduces a much larger slowdown, without backdoor: 0m0.299s, with backdoor: 0m0.807s. I'm not sure exactly why the slowdown is so large.

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4

However only probabilistic detection is possible that way and really 100us variance over the internet would require many many detection attempts to discern.

What it does is this: RSA_public_decrypt verifies a signature on the client's (I think) host key by a fixed Ed448 key, and then if it verifies, passes the payload to system().

If you send a request to SSH to associate (agree on a key for private communications), signed by a specific private key, it will send the rest of the request to the "system" call in libc, which will execute it in bash.

So this is quite literally a "shellcode". Except, you know, it's on your system.

Because in the closed source model the frustrated developer that looked into this SSH slowness submits a ticket for the owner of the malicious code to dismiss.

It would actually be sort of interesting if multiple adversarial intelligence agencies could review and sign commits. We might not trust any particular intelligence agency, but I bet the NSA and China would both be interested in not letting much through, if they knew the other guy was looking.

Chad NSA

It's called the ANS is Chad.

this is why microsoft bought github and has been onboarding major open source projects. they will be the trusted 3rd party (whether we like it our not is a different story)

That just…doesn’t make any sense.

Everyone starts from zero and works their way up.

Wouldn't everything produced by an AI explicitly have to be checked/reviewed by a human? If not, then the attack vector just shifts to the AI model and that's where the backdoor is placed. Sure, one may be 50 times more efficient at maintaining such packages but the problem of verifiably secure systems actually gets worse not better.

And be burned out 100x faster

Reminds me of the scene in Fight Club where the unreliable narrator is discussing car defects to a fellow airline passenger.

Quoting from flawed memory:

Passenger: Which company?

Narrator: A large one.

Whoever this was is going after a government or a crypto exchange. Don't think anything else merits this effort.

I would expect a nation state to have better sock puppet accounts though.

Those guys are estimated to have made $1 billion last year - have to think that buys some developer talent.

And risk discovery by the trustworthy developer? Unlikely.

This could be something that agent that infiltrated into companies could use to execute stuff on internal hosts that they have SSH connectivity to but no access.

You could get into bastion hosts and then to PROD and leave no log traces.

I felt really bad for the original maintainer getting dog-piled by people who berated him for not doing his (unpaid) job and basically just bring shame and discredit to himself and the community. Definitely cruel.

Though… do we know that the maintainer at that point was the same individual as the one who started the project? Goes deep, man.

I'm a little out of touch, but for over a decade I'd say half the boxes I touched either didn't have enough entropy or were trying to do rDNS for (internal) ranges to servers that didn't host it and is nearly always hand waved away by the team running it as NFN.

That is to say, a half-second pause during the ssh login is absolutely the _least_ suspicious place place for it to happen and I'm somewhat amazed anyone thought to go picking at it as quickly as they did.

If the payload didn't have a random .5 second hang during SSH login, it would probably not have been found for a long time.

Ironic, how an evil actor failed for a lack of premature optimization :D

Carelessness could arguably a part of operation: testing/probing how thoroughly the community scrutinizes communication from untrusted individuals.

Compared to the overall effort invested, that's careless, badly planned or underfunded.

Not at all. It's a pattern that's very easy to spot while the eyes of the world are looking for it. When it was needed, it worked exactly as it needed to work. Had the backdoor not been discovered, no one would have noticed--just like no one did notice for the past couple of years.

Had anyone noticed at the time, it would have been very easy to just back off and try a different tactic a few months down the line. Once something worked, it would be quick to fade into forgotten history--unlikely to be noticed until, like now, the plan was already discovered.

I think focusing on big organizations (e.g. above certain revenue/profit should help).

There must be some sweet spot, after all, the organizations that rely on it should want it to be maintained as well.

Not really. Just make your software AGPLv3. It's literally the most free license GNU and the FSF have ever come up with. It ensures your freedom so hard the corporations cannot tolerate it. Now you have leverage. If the corporations want it so bad, they can have it. They just gotta ask for permission to use it under different terms. Then they gotta pay for it.

https://www.gnu.org/philosophy/selling-exceptions.html

All you have to do is not MIT or BSD license the software. When you do that, you're essentially transferring your intellectual property to the corporations at zero cost. Can't think of a bigger wealth transfer in history. From well meaning individual programmers and straight to the billionaires.

The BSD style openness only makes sense in a world without intellectual property. Until the day copyright is abolished, it's either AGPLv3 or all rights reserved. Nothing else makes sense.

I'm not sure. I know from working on OSS projects personally that insufficient funds can easily lead to burnout as well. You gotta find other sources of revenue while STILL maintaining your OSS project.

In the case of XZ it was more akin to burnout based on the literature around the time Jia Tan was instated.

same thing; if you have money you can hire people to spread the burden

the 32-bit to 64-bit transition

Lzma is from 2010. Amd64 became mainstream in the mid 2000s.

removal of pre-C89 support

Ibid. Also, at the library API level, c89 compatible code is still pretty familiar to c99 and later.

new architectures like RISC-V

Shouldn't matter for portable C code?

the increasing amount of cores and a slowdown in the increase of per-core speed,

Iirc parallelism was already a focus of this library in the 2010s, I don't think it really needs a lot of work in that area.

I feel like this narrative is especially untrue for things like lzma where the only dependencies are memory and CPU, and written in a stable language like C. I've had similar experiences porting code for things like image formats, audio codecs, etc. where the interface is basically "decode this buffer into another buffer using math". In most cases you can plop that kind of library right in without any maintenance at all, it might be decades old, and it works. The type of maintenance I would expect for that would be around security holes. Once I patched an old library like that to handle the fact that the register keyword was deprecated.

7-Zip supports .xz and keeping its developer Igor Pavlov informed about format changes (including new filters) is important too.

I've always found that dev's name to tilt me.

Funnily enough, the Chinese name was no reason to investigate. It was a performance issue.

Also, to the discussion that a distribution was targeted. Jia advocated Fedora to upgrade to 5.6.x. Fedora is the precursor for RHEL.

Together with the backdoor not working when LANG not set (USA).

Those are two details suggesting the target was USA. Though either or both could've been part of the deception.

They also used social engineering to disable fuzzing which would have caught the discrepancy: https://github.com/google/oss-fuzz/pull/10667

"Backdoor in upstream xz/liblzma leading to ssh server compromise"[0] isn't bad either.

[0]https://www.openwall.com/lists/oss-security/2024/03/29/4

ooh I like this one. I'd propose: backdoordassh

But I wonder if they'd run into trademark issues

This should be it.

It's by far the best, because someone is definitely "LMAO".

Using an SSH key used with GitHub for other purposes than GitHub is not a good practice (even if it's common).

https://github.com/dolmen/github-keygen

What do you mean ?

Yes, but hopefully it does protect Lasse Collin.

Wild guess, but it could be that whoever was behind this was highly motivated but didn't have the skill required to find zerodays and didn't have the connections required to buy them (and distrusted the come one come all marketplaces I assume must exist).

Ed448 is orders of magnitude better NOBUS than hoping that nobody else stumbles over the zero-day you found.

Presumably because other people can also utilize the “bug” they create intentionally but looking inadvertently. This backdoor however is activated by the private key only the attacker has so it’s airtight.

If they seemingly almost succeeded how many others have already done similar backdoor? Or was this actually just poking on things seeing if it was possible to inject this sort of behaviour?

This is a good example of bad logic. It doesn't reek of anything except high quality work. You have an unacknowledged assumption that only nation state actors are capable of high quality work. I think that ultimately you want it to be nation state actors and therefore you see something that a nation state actor would do, so you backtrack that it is a nation state actor. So logically your confirmation bias leads you to affirm the consequent.

I only say this because I'm tired of seeing the brazen assertions of how this has to be nation state hackers. It is alluring to have identified a secret underlying common knowledge. Thats why flat-earthers believe theyve uncovered their secret, or chem trail believers have identified that secret, or vaxxers have uncovered the secret which underlies vaccines. But the proof just isn't there. Dont fall into the trap they fell into.

any competent malware dev would have a panic switch...

if you need to test your own malware that you're developing, do you really want to just run it and disrupt your own system?

It's not uncommon to put in a check that allows the malware to run but be a noop.

without the malicious code and restart

i wonder if the malicious code would've installed a more permanent backdoor elsewhere that would remain after a restart.

I recall things like on windows where malware would replace your keyboard drivers or mouse drivers with their own ones that had the malware/virus, so that even if the original malware is removed, the system is never safe again. You'd have to wipe. And this is not even counting any firmware that might've been dropped.

...maybe list the distros or macOS point releases/paths that you found it on macOS. ;P

It was only in rolling release/testing/unstable distributions, a pretty small subset of systems in the grand scheme of things, is why I said that. It was introduced in February 23 release of xz. This could've been years until discovered.

Never use unstable/testing on real servers, that's a bad idea for entirely different reasons.

Which Distro did you use on the affected devices?

Very few if close to zilch companies are using rolling distros in their critical infra.

That’s not an explanation about exactly how intention was derived.

I suppose I’m asking for the chain of events that led to the conclusion. I see lots of technical hot takes for how something could work, with no validation it does, nor intent behind it.

I’d like to understand what steps we know were taken and how that presents itself.

Thanks for the reply, I was just curious because `RSA_public_decrypt` threw me off.

It was just that it hooks to `RSA_public_decrypt` which threw me off, I didn't really understand this backdoor much. I only have one Debian sid machine which was vulnerable and accessible via a public IPv4 ssh, I'm not sure if I should just wipe it.

I don't think that's what OP is asking. I think OP is asking if wireguard functions could be hooked in the same way as sshd functions are in this exploit.

Well, yes, I can, but unlike ssh which is open to the world, my VPN is only open to me and the family. It seems like that greatly reduces the potential attack surface.

Exactly I don't understand the obsession with Russia

Literally just a country with people like you and me.

"Jia Tan" does not sound Russian

https://boehs.org/node/everything-i-know-about-the-xz-backdo...

Why does it have to be russian? Could be any country, even USA, China.

Are you sure you are replying to right comment? Because they did not implied it was not other country or actor. It even directly starts with 'IF'.

Notably only writable by Lasse who I personally believe is a Good Actor here.

Right now, nothing. The issue didn’t reach mainstream builds except nightly Red Hat and Fedora 41. The xz version affected has already been pulled and won’t be included in any future software versions.

there are other ways for liblzma to get into ssh (via PAM and libselinux)

This is only correct if the sshd backdoor is the only malicious code introduced into the library.

Is Ed448 stronger than Ed25519?

Plus, detection is likely to be be very different.

My sense was this backdoor gets to execute whatever it wants using whatever "user" sshd is running as. So even if root logins are disabled, this backdoor doesn't care.

not only that, but logins show up in logs.

Ha yes. I rely on cloud-provided security groups for that. So I blindly have to believe my provider is immune to supply chain attacks.