Our great sponsors
-
-
xz
Discontinued XZ Utils [GET https://api.github.com/repos/tukaani-project/xz: 403 - Repository access blocked]
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
I think this analysis is more interesting if you consider these two events in particular:
2024-02-29: On GitHub, @teknoraver sends pull request to stop linking liblzma into libsystemd.[1]
2024-03-20: The attacker is now a co-contributor for a patchset proposed to the Linux kernel, with the patchset adding the attacker as a maintainer and mirroring activity with xz-utils.
A theory is that the attacker saw the sshd/libsystemd/xz-utils vector as closing soon with libsystemd removing its dependency on xz-utils. When building a Linux kernel image, the resulting image is compressed by default with gzip [3], but can also be optionally compressed using xz-utils (amongst other compression utilities). There's a lot of distributions of Linux which have chosen xz-utils as the method used to compress kernel images, particularly embedded Linux distributions.[4] xz-utils is even the recommended mode of compression if a small kernel build image is desired.[5] If the attacker can execute code during the process of building a new kernel image, they can cause even more catastrophic impacts than targeting sshd. Targeting sshd was always going to be limited due to targets not exposing sshd over accessible networks, or implementing passive optical taps and real time behavioural analysis, or receiving real time alerts from servers indicative of unusual activity or data transfers. Targeting the Linux kernel would have far worse consequences possible, particularly if the attacker was targeting embedded systems (such as military transport vehicles [6]) where the chance of detection is reduced due to lack of eyeballs looking over it.
[1] https://github.com/systemd/systemd/pull/31550
[2] https://lkml.org/lkml/2024/3/20/1004
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...
[4] https://github.com/search?q=CONFIG_KERNEL_XZ%3Dy&type=code
[5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...
[6] https://linuxdevices.org/large-military-truck-runs-embedded-...
In https://archive.softwareheritage.org/browse/revision/e446ab7...
Not just for hardware support: https://github.com/serde-rs/serde/issues/2538
Related posts
- The xz sshd backdoor rabbithole goes quite a bit deeper
- Deploying a secured Node.js Application on AWS EC2 Instance from scratch (Detailed Guide)
- Latest Zen Kernel......
- Spaceman: A gRPC client from another world. Comes both as a CLI and as a GUI built with Tauri and Yew.rs
- How do you manage configuration in rust?