Re: Malware find in the news: xz related.

On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 18:26, Rich wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

>
My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

>
Yes, this seems to have been part of the "connection".
>

Purportedly sshd itself doesn't use xz.

>
It does not.  Directly that is.
>

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

>
Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes.  That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.
>

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have
-> use systemd.

>
They are not, because their OpenSSH is not linked to libxz/lzma in any
way.
>
But....  this is nearly a "Reflections on Trusting Trust" [1] level
opsec.  attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec.
attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.

>
A well funded bad actor will likely find a target to do their thing. They did not attack systemd directly, but a small auxiliary library from another project, one that had little attention from developers. Once this hole is plugged, they will seek another one.
>
That was a two year investment to plant a mole. There might be others.
>
>

 I'm one hundred percent sure state level actors are already doing this in numerous small auxiliary libraries as well as python pip, rust, go and others.
 Seems like supply chain attacks will be the new gold when it comes to malicious attacks. =(
 Is the open source community equipped to handle this?