Backdoor in Upstream xz/liblzma Leading to SSH Server Compromise
Are you worried about the security of your SSH server? A recent discovery has unveiled a sophisticated backdoor in the upstream xz compression library (liblzma), impacting versions 5.6.0 and 5.6.1. This vulnerability directly affects systems exposing SSH to the internet, leading to unauthorized access and potential compromise.
The injected code within the xz/liblzma library was designed to subtly execute unauthorized actions without detection. It cleverly modifies the build process to introduce malicious behavior, specifically targeting SSH server security. This backdoor compromises systems by allowing external control under certain conditions, significantly impacting system integrity and data confidentiality. The sophistication of this attack underlines the importance of rigorous software supply chain security measures.
The author of the backdoor made attempts to have the compromised xz version 5.6.x added to Fedora 40 and 41. This move was likely aimed at widening the backdoor’s impact by integrating it into more systems, showcasing a deliberate effort to infiltrate open-source software distributions at a foundational level.
Vegard Nossum wrote a script to detect if it’s likely that the ssh binary on a system is vulnerable:
#! /bin/bash
set -eu
# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
# does it even exist?
if [ "$path" == "" ]
then
echo probably not vulnerable
exit
fi
# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi
How Did This Happen?
A subtle script introduced in the xz tarballs modifies the Makefile during the configuration process, injecting malicious code into the liblzma library. This targeted approach impacts systems built with gcc and the GNU linker, particularly those in Debian or RPM package builds.
How to Check if You’re Affected?
- SSH Slowdown: A significant slowdown during SSH logins could indicate compromise.
- Version Check: Verify your
liblzmaversion. Affected versions are 5.6.0 and 5.6.1. (xz --version) - Look for Unusual Processes: Monitor for unexpected processes or connections, indicative of malicious activity.
- Use the aforementioned shell script
Immediate Remediation Steps:
- Downgrade liblzma: Ensure you’re running a secure version of
liblzma, free from the backdoor. - Use Detection Scripts: Employ scripts to scan for compromised SSH binaries.
For the Technically Inclined:
The backdoor manipulation involves sophisticated code injection techniques that evade typical detection methods. This underscores the necessity for rigorous security protocols and the continuous monitoring of system libraries for anomalies.
This incident is a stark reminder of the vulnerabilities that can exist in the supply chain and the continuous need for vigilance in system security practices. For more advanced users, it’s advisable to engage in comprehensive log analysis and employ enhanced detection tools to safeguard against such sophisticated threats.
References:
Leave a Reply