this post was submitted on 29 Mar 2024
180 points (100.0% liked)

Free and Open Source Software

17779 readers
19 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
Gaywallet@beehaw.org
alyaza@beehaw.org
180
A backdoor in xz (current versions are impacted) (lwn.net)
submitted 5 months ago* (last edited 5 months ago) by brie@beehaw.org to c/foss@beehaw.org
16 comments fedilink hide all child comments
 

TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro's specific instructions of what to do.

https://news.opensuse.org/2024/03/29/xz-backdoor/

Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.

In summary, the conditions for exploitation seem to be:

  • xz version 5.6.0 or 5.6.1
  • SSH with a patch that causes xz to be loaded
  • SSH daemon enabled

Impact on distros

  • Arch Linux: Backdoor was present, but shouldn't be able to activate. Updating is still strongly recommended.

  • Debian: Testing, Unstable, and Experimental are affected (update to xz-utils version 5.6.1+really5.4.5-1). Stable is not affected.

  • Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of xz). Fedora 39 is not affected.

  • FreeBSD: Not affected.

  • Kali: Affected.

  • NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.

  • OpenSUSE: Tumbleweed and MicroOS are affected. Update to liblzma5 version 5.6.1.revertto5.4. Leap is not affected.

CVE-2024-3094

you are viewing a single comment's thread
view the rest of the comments
[–] furrowsofar@beehaw.org 8 points 5 months ago* (last edited 5 months ago) (3 children)

Why ssh? Does ssh use xz?

[–] jack@monero.town 14 points 5 months ago

Ssh uses systemd and systemd uses lzma (xz)

[–] ptz@dubvee.org 12 points 5 months ago

Not directly, but it's often integrated with systemd which does.

What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts.

https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/

[–] outbound@lemmy.ca 4 points 5 months ago

Yes. ssh's RSA encryption uses liblzm.