Sujet : Re: Malware find in the news: xz related.
De : dwhodgins (at) *nospam* nomail.afraid.org (David W. Hodgins)
Groupes : comp.os.linux.miscDate : 31. Mar 2024, 17:41:17
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <op.2liba3kla3w0dxdave@hodgins.homeip.net>
References : 1 2 3 4
User-Agent : Opera Mail/12.16 (Linux)
On Sun, 31 Mar 2024 12:26:20 -0400, Rich <
rich@example.invalid> wrote:
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 3/31/24 08:38, John McCue wrote:
Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.
>
My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.
>
Yes, this seems to have been part of the "connection".
>
Purportedly sshd itself doesn't use xz.
>
It does not. Directly that is.
>
But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.
>
Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.
>
As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have
-> use systemd.
>
They are not, because their OpenSSH is not linked to libxz/lzma in any
way.
The link to systemd is an after the fact detail. Likely systemd was intended
as another target, but the attack was caught before it got that far.
The key in deciding whether or not a distribution is impacted, is whether
or not it includes version 5.6.0 or 5.6.1 of xz.
The remote code execution is in those versions of the xz package.
Once the RCE is available, ssh is vulnerable as sshd supports compression
and xz is one option for compression. It doesn't matter whether xz is linked
in to sshd or called at run time to decompress the data.
https://gynvael.coldwind.pl/?lang=en&id=782https://tukaani.org/xz-backdoor/The RCE just happened to be found while running detailed timing tests that
included sshd with xz compression support. It impacts anything that supports
using xz as a compression utility, or any xz decompression of untrusted input
by an end user or other system service.
Regards, Dave Hodgins
Malware find in the news: xz related.
Re: Malware find in the news: xz related.
