Sujet : Re: Malware find in the news: xz related.
De : not (at) *nospam* telling.you.invalid (Computer Nerd Kev)
Groupes : comp.os.linux.miscDate : 31. Mar 2024, 01:00:44
Autres entêtes
Organisation : Ausics - https://newsgroups.ausics.net
Message-ID : <6608a7ac@news.ausics.net>
References : 1 2
User-Agent : tin/2.0.1-20111224 ("Achenvoir") (UNIX) (Linux/2.4.31 (i586))
Eli the Bearded <*@eli.users.panix.com> wrote:
The initial report is quite readable:
https://www.openwall.com/lists/oss-security/2024/03/29/4
Found because someone was trying to benchmark something else and ssh was
using noticable cpu. An exploit hidden by a multi-year contributor who
got promoted to maintainer. The exploit is hidden in a "bad" xz
compessed "test" file, a simple use of `tr` repairing the file. Today's
exploit specifically targets sshd on Debian, but there's no reason to
think that this was a final target instead of a first target.
True, though that post does mention that the exploit actually
relies on a Debian patch to OpenSSH which causes sshd to be linked
to the XZ compression library via a dependency on libsystemd:
"openssh does not directly use liblzma. However debian and several
other distributions patch openssh to support systemd notification,
and libsystemd does depend on lzma."
This post provides a patch for starting a child process from sshd
to talk to Systemd then exit, instead of linking the SSH server
to libsystemd directly. So it's not the only way that Systemd
integration can be done by distros (if they feel compelled to do it
at all).
https://www.openwall.com/lists/oss-security/2024/03/29/23They also point out how many libraries are unnecessarily linked to
sshd by existing distro patches. On RHEL 9.x they say "ldd sshd"
lists 28 dynamically-linked libraries, but for their "Rocky Linux
SIG/Security override package" they've got it down to 13.
On Debian 11 (bookworm) with OpenSSH_8.4p1 I see by running ldd on
/sbin/sshd that it's linked to 31 libraries. But on Tiny Core Linux
14, which doesn't use Systemd, OpenSSH_9.5p1 links to only 8
libraries, and doesn't link to liblzma.
On OpenWRT 23 I use Dropbear v2022.82 and ldd shows that it links
to just 3 libraries!
So the attack surface of the SSH server process varies wildly
between distros. Indeed my first thought when I read about this was
"Huh, I didn't know that OpenSSH supported XZ compression". Turns
out it doesn't, but Systemd does.
-- __ __#_ < |\| |< _#
Malware find in the news: xz related.
Re: Malware find in the news: xz related.
