Neues Video von #Simplicissimus: „Eine Gruppe Hacker hätte sich beinahe Zugang zu Millionen von Servern auf der ganzen Welt verschafft. Doch ein deutscher Software-Entwickler hat ihnen einen Strich durch die Rechnung gemacht.“
https://www.youtube.com/watch?v=8p8PHeGg--U
Hintergrund: https://de.wikipedia.org/wiki/CVE-2024-3094
#xz #linux #opensource #quelloffen #backdoor #github #CVE20243094 #ssh
Recent searches
Search options
#cve20243094
0 posts0 participants0 posts today
#XZUtils 5.6.2 (stable) has been released (#xz / #LZMAUtils / #LZMA / #LZMA2 / #DataCompression / #CVE / #CVE20243094) https://tukaani.org/xz/
tukaani.orgXZ Utils
Replied in thread
@jrt @ph0lk3r @hisolutions @HonkHase
Vielen Dank für den Aufschrieb. Ich hoffe, dass jemand aus dieser Vorlage einen Krimi macht.
Hättet ihr Lust, das als szenische Lesung oder (Socken-)Puppentheater beim #38c3 aufzuführen?
The xz Issue Isn’t About Open Source | The Changelog
https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source
#rr #xz #cve20243094 #OpenSource
The Changelog · The xz Issue Isn’t About Open SourceYou’ve probably heard of the recent backdoor in xz. There have been a lot of takes on this, most of them boiling down to some version of: The problem here is with Open Source Software. I want…
Putting an xz Backdoor Payload in a Valid RSA Key | rya.nc
rya.nc · Putting an xz Backdoor Payload in a Valid RSA KeyLast week, a backdoor was discovered in xz-utils. The backdoor processes commands sent using RSA public keys as a covert channel. In order to prevent anyone else from using the backdoor, the threat…
Continued thread
[Announcement] "Xz/liblzma security update (post #2)" from the Ubuntu developers regarding #cve20243094
https://discourse.ubuntu.com/t/xz-liblzma-security-update-post-2/43801?u=popey
Critical XZ Utils Backdoor (CVE-2024-3094) Leads to SSH Compromise https://thecyberexpress.com/xz-utils-backdoor-cve-2024-3094/ #remotecodeexecution #TheCyberExpressNews #SSHauthentication #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE20243094 #XZUtils
This really was a well thought out supply chain attack. Jia Tan submitted a PR for OSS-Fuzz back in July 2023 to intentionally ignore the IFUNC feature which is used (maliciously) to perform runtime hooking/redirection of OpenSSH's authentication routines.
#cve20243094 https://www.reversinglabs.com/blog/a-software-supply-chain-meltdown-what-we-know-about-xz-trojan
ReversingLabsA software supply chain meltdown: What we know about the XZ TrojanSoftware tampering and social engineering were used in a months-long campaign to plant malicious code in major Linux distributions. Here's what we know.
Perhaps the long con is an even longer con in which an attacker attempts to drive many #infosec people into burnouts over time by hiding malware in packages that are then discovered just before holiday weekends.
Security Week 2414: последствия взлома xz-utils
История со взломом набора утилит xz-utils, несомненно, войдет в категорию легендарных событий в сфере информационной безопасности. Эта тщательно спланированная атака на цепочку поставок была в шаге от полного успеха. Могла быть реализована ситуация, когда десятки и сотни тысяч систем на базе Linux имеют в своем коде скрытый бэкдор, задействуемый организаторами атаки с помощью известного им приватного ключа. Поражает как сложность самой атаки, так и неординарная история обнаружения бэкдора. Последнее все же заставляет надеяться, что сообщество разработчиков открытого ПО найдет средства противодействия подобным атакам в будущем. Таймлайн атаки достаточно подробно описан на Хабре здесь (еще одна обновляемая статья — тут ), подверженные дистрибутивы приведены здесь , в этой статье мы постараемся выделить самые важные моменты и попробуем представить, как это повлияет на разработку ПО с открытым исходным кодом.
ХабрSecurity Week 2414: последствия взлома xz-utilsИстория со взломом набора утилит xz-utils, несомненно, войдет в категорию легендарных событий в сфере информационной безопасности. Эта тщательно спланированная атака на цепочку поставок была в шаге от...
Achtung Linux Nutzer: Backdoor in XZ-Tarballs entdeckt - MichlFranken
https://www.michlfranken.de/linux-backdoor-xz-tarballs-entdeckt/
MichlFranken · Achtung Linux Nutzer: Backdoor XZ-Tarballs entdeckt - MichlFrankenTechnik-Blog für Linux, Unix, Open Source, Cloud Computing, Nachhaltigkeit und Co.
Nice! @amlw wrote a PoC exploit and a honeypot for the xz backdoor.
Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...
It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.
Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.
You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!
You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!
This is the culmination of years of labor and planning and of a massive team and budget.
You did good.
This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.
It's finally going to pay off.
But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!
Fuck. Fuck. FUCK!!!
Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!
Leadership took a big risk on me and my team but I kept assuring them it would pay off!
It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!
Oh fuck!!!
#JustInCase I have mirrored @thesamesam gist at https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 (the xz backdoor/exploit FAQ) locally and on https://codeberg.org/jwildeboer/gists/src/branch/main/20240401CVE20243094FAQMirror.md Will setup some sort of automatic update script later. I don't think Github will somehow interfere with this FAQ, but hey, better safe than sorry and stuff :)
This is just a FYI. Please do NOT use my manual mirror of the FAQ and bookmark ONLY the original source.
Gistxz-utils backdoor situation (CVE-2024-3094)xz-utils backdoor situation (CVE-2024-3094). GitHub Gist: instantly share code, notes, and snippets.
Advice to the entire IT industry: Andres Freund needs to get very very rich.
The only resource large enough, skilled enough or obsessive enough to prevent many (MANY) more of these is The Crowd, as in “crowd-sourcing”.
How do you motivate all the nerds on earth to scour every significant code-base obsessively, forever?
Bug bounties. You fucking pay them.
How much? A small % of what they just saved you.
The xz backdoor could have cost the world billions or trillions.
#CVE20243094 #xzbackdoor #xz
Dave Millar Anyone familiar with #BusyBox know if it's affected by CVE-2024-3094? #Linux #CVE #cve20243094
Hello #Forgejo admins,
We've published a post regarding the impact of the xz backdoor (CVE-2024-3094) on the Forgejo project.
https://forgejo.org/2024-03-xz/
forgejo.orgImpact of CVE-2024-3094 on Forgejo
#HardenedBSD is unaffected by the xz backdoor: https://hardenedbsd.org/article/shawn-webb/2024-03-29/hardenedbsd-unaffected-cve-2024-3094-backdoor-xzlzma-560561
However, users making use of the #Linux syscall compat layer (`linux.ko` and `linux64.ko`) would be well-served by auditing their Linux environments.
hardenedbsd.orgHardenedBSD Unaffected By CVE-2024-3094 (Backdoor in xz/lzma 5.6.0/5.6.1) | HardenedBSD
Wünsche Euch frohe Feiertage, ohne solche faulen Eier 
Damit keine Panik ausbricht, Der #xzorcist getaufte #cve20243094 der Versionen xz 5.6.x erlaubt ssh RCE über den RSA Key 
ABER
"In stabile Debian- oder Ubuntu-Versionen hat die Hintertür es nicht geschafft, ...
Der macOS-Paketmanager Homebrew hingegen ist nicht direkt betroffen."
Termux/Gentoo Pakete bitte updaten.
Heise Medien on Mastodonheise Security (@heisec@social.heise.de)xz-Attacke: Hintertür enträtselt, weitere Details zu betroffenen Distros
Experten halten die Hintertür in liblzma für den bis dato ausgeklügeltesten Supplychain-Angriff. Er erlaubt Angreifern, aus der Ferne Kommandos einzuschleusen.
https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-zu-betroffenen-Distros-9671588.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon
#Debian #Fedora #Linux #LinuxDistribution #OpenSource #Opensuse #RedHat #Security #SSH #Ubuntu #news