Sujet : Re: Malware find in the news: xz related.
De : nunojsilva (at) *nospam* invalid.invalid (Nuno Silva)
Groupes : comp.os.linux.miscDate : 31. Mar 2024, 16:45:08
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <uuc04d$1s3mb$1@dont-email.me>
References : 1 2 3 4 5 6
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
On 2024-03-31, Lew Pitcher wrote:
On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:
>
On Sun, 31 Mar 2024, Computer Nerd Kev wrote:
Computer Nerd Kev <not@telling.you.invalid> wrote:
MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:
>
any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?
>
The code was targeting Debian, and only reached the Testing version
of Debian
>
And RHEL, and of course all the distros based on those (or at least
those using Systemd).
>
>
How is this exploited? Does it require login/pw?
>
An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.
>
However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.
>
So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.
>
HTH
If I understand correctly (please correct me if I'm wrong!), it's a
certificate, not a key. While this may sound like nitpicking, in this
case it seems to matter a lot, because for *certificates*, the hijacked
function is invoked even if certificate authentication is not enabled.
https://bugzilla.mindrot.org/show_bug.cgi?id=3675-- Nuno Silva
Malware find in the news: xz related.
Re: Malware find in the news: xz related.
