xz saga: a cautionary tale

 


In case you haven't heard, an attacker attempted to install a backdoor on most Linux systems via exploiting xz, a small open-source project maintained by a single unpaid developer since at least 2009. The backdoor would have allowed a remote attacker with a predetermined private key to hijack the SSH daemon in order to execute arbitrary malicious commands on the machine. The full timeline of events can be found here.


Cautionary Takeaway #1:

As with the case of Apache Log4j, the incident once again highlights the reliance on open-source software and volunteer-run projects, and the consequences that could entail should they suffer a compromise or have a major vulnerability.

~ The Hacker News

xkcd

Cautionary Takeaway #2:

Base OpenSSH, as delivered from the OpenSSH project, doesn’t require any third-party libraries for default functionality. Probably due to some unknown business motivations, sshd in some distributions has been linked against a universe of libraries under the guise of “increasing functionality”. Every time a dependency is linked into an application like this, the application inherits all the bugs and issues of that dependency. The presumed reason for linking xz, in this case, was to have sshd become more easily controllable by systemd. This decision is what exposed these distributions to the backdoor. As systemd slowly consumes the Linux universe, we’ll see more and more of this.

~ Security Boulevard

Update: Ubuntu  and Debian have removed libsystemd from openSSH


Cautionary Takeaway #3:

Red Hat confirmed that the affected software had not been widely utilized in Linux distributions, however. The exceptions are the Linux distributions that typically bring in new packages as soon as they are available, such as Fedora Rawhide and Debian unstable, which have been impacted by the hack.

~ CRN


Cautionary Takeaway #4:

Look how brilliantly they selected their target project:

(1) xz and the lib are widely used in the wild including linux kernel, systemd, openSSH; (2) single maintainer, low rate of maintenance; (3) the original maintainer has other problems in his life distracting them from paying closer attention to the project.

I am wondering how many other OSS projects look similar and can be targeted in similar ways?

~ Hacker News



Comments

Popular Posts