Sujet : Re: Malware find in the news: xz related.
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.os.linux.miscDate : 31. Mar 2024, 20:36:03
Autres entêtes
Organisation : TNet Consulting
Message-ID : <uucdv3$47g$3@tncsrv09.home.tnetconsulting.net>
References : 1 2 3 4 5
User-Agent : Mozilla Thunderbird
On 3/31/24 11:41, David W. Hodgins wrote:
The link to systemd is an after the fact detail. Likely systemd was intended as another target, but the attack was caught before it got that far.
I don't think it's proper to consider something to be after the fact when it is an integral link in the chain for the vulnerability to be exploitable.
The key in deciding whether or not a distribution is impacted, is whether or not it includes version 5.6.0 or 5.6.1 of xz.
I agree that it's possible for a non-systemd distro to have the bad versions of xz.
But it is almost certain that OpenSSH on that non-systemd distro won't be effected because it doesn't have support for xz in sshd.
The sshd vector requires all three components, sshd and systemd and xz.
If you remove systemd from that chain, sshd doesn't have xz in it and as such sshd isn't vulnerable to this attack even if the vulnerable xz is on the system.
At least that's my understanding.
The remote code execution is in those versions of the xz package.
And that RCE in the xz package isn't incorporated into sshd on non-systemd distros.
Once the RCE is available, ssh is vulnerable as sshd supports compression and xz is one option for compression.
OpenSSH / sshd upstream doesn't support xz as a compression.
Some distros have modified to make OpenSSH / sshd play nicer with systemd and it's that modification that pulls xz in as a dependency.
So if your OpenSSH / sshd isn't ""enhanced - scoff - to support systemd, then it will not have xz support. If your OpenSSH / sshd doesn't have xz support then it's not vulnerable to the xz compromise.
It doesn't matter whether xz is linked in to sshd or called at run time to decompress the data.
https://gynvael.coldwind.pl/?lang=en&id=782
https://tukaani.org/xz-backdoor/
The RCE just happened to be found while running detailed timing tests that included sshd with xz compression support. It impacts anything that supports using xz as a compression utility, or any xz decompression of untrusted input by an end user or other system service.
I question the veracity of that.
There may be a root hole in xz that matches what you say.
But my understanding of the xz RCE is that it is specifically written for xz to be indirectly pulled into OpenSSH / sshd via systemd and that it is expecting very specific behavior / assumptions. I seriously doubt that those assumptions will be valid in other things.
Could the root hole in xz be abused as a gadget to target other things besides sshd-modified-for-systemd? Probably. Or at least it conceptually could have if it hadn't been discovered.
-- Grant. . . .
Malware find in the news: xz related.
Re: Malware find in the news: xz related.
