Re: xz backdoor

To: Sirius <sirius@trudheim.com>
Cc: debian-devel@lists.debian.org, Daniel Leidert <dleidert@debian.org>
Subject: Re: xz backdoor
From: Christoph Anton Mitterer <calestyo@scientia.org>
Date: Fri, 05 Apr 2024 23:19:31 +0200
Message-id: <[🔎] fb410cdb381d6e048ef2f522fd9c6f80d3a0bfff.camel@scientia.org>
In-reply-to: <[🔎] ZhBHQ4LVnQWp3Cre@acer.trudheim.com>
References: <[🔎] ZhBHQ4LVnQWp3Cre@acer.trudheim.com>

On Fri, 2024-04-05 at 20:47 +0200, Sirius:
> > If there is a final result, can we as a project share the results on a
> > prominent place? Or at least under d-devel-announce and/or d-security-
> > announce? I was also wondering about what could have been compromised,
> > what data might have been stolen, etc. And there is so many sources to
> > follow right now. So sharing the final results would be great. 
> 
> If you have followed the discussion on Openwall ML, there have been a
> couple of posts that points at both a general overview of what the code
> did, an analysis of how the data was hidden in the 'corrupt' xz archive
> under testing and some analysis of the actual .o which suggested this was
> not just a backdoor but a remote-code-execution portal almost.

I've also tried to follow the various lists and RE efforts on discord.
My understanding is, that this hasn't been completed, yet, and while
people seem to *believe* that it looks like as if the backdoor didn't
do anything else than just waiting for commands sent to an sshd (which
might make all people safe, that haven't had sshd running or at least
not publicly listening) - that's not yet 100% sure, or is it?

And given how much effort these attackers spent in hiding the stuff, it
doesn't seem impossible, that they hid even more.


I'd think that most servers are safe, simply because they typically run
stable.
But I guess many people run their personal computers on some
rolling/unstable release.


So I fully agree with Daniel Leidert, that it would be really nice if
there was - eventually, one the reverse engineering has been finished -
some form of official confirmation, whether and when people that had
the compromised xz-utils installed may fell 100% safe or possibly
pwned.


Especially:
- whether any hidden calling home was found (so far not, but this may
  e.g. happen only under special conditions, like some matching host
  or user names), which would possibly compromise private keys, etc.
- whether any commands could have automatically been pulled from remote
- whether any attack vectors other than via sshd were found
- whether some other forms of infestations (adding new user, keys to
  authorized_keys, etc.) was possible

or whether all that can be ruled out for sure.

And whether that has been confirmed for both versions of the maleware
that were distributed.

In short:
- Can people that had it, but had no sshd running and/or had it only
  running behind some firewall/NAT/etc. feel 100% safe to be not
  further compromised?

And while it wouldn't affect me personally, some have also asked
whether:
- They'd be safe it access to sshd was only restricted via
  hosts.allow/hosts.deny.


Last but not least, it would be nice if Debian had some trustworthy
experts which can actually confirm those findings.
No offence meant against those people doing the reverse engineering,
but in principle anyone on the internet could just claim anything and
make people wrongly feel safe.



Cheers,
Chris.

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: Christoph Anton Mitterer <calestyo@scientia.org>

References:
- Re: xz backdoor
  - From: Sirius <sirius@trudheim.com>

Prev by Date: Re: xz backdoor
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread