Hi friends,
|
A random developer starts shooting emails on the community board asking whether the niche XZ utility in Linux is still maintained.
They wanted to know whether they should update their own version because they now want new features.
Xz is a compression utility - similar in concept to making .zip files. Its main use is lossless compression for command line utilities, which is to say that it guarantees when it is uncompressed the result is a byte-for-byte clone of the original data. It’s used by a lot of important security software, and is included as a library for many other utilities. A library is just a term used for tools used by other tools.
The core maintainer “Lasse” then says that he’s not actively working on it but if bugs will be reported he’ll make sure they’re fixed.
He also says that he know this isn’t not optimal but towards the end mentions a developer by the name “Jia Tan”, saying they were a big help with XZ utils and “might have a bigger role in the future…”:
Jia Tan has helped me off-list with XZ Utils and he might have a bigger
role in the future at least with XZ Utils. It's clear that my resources
are too limited (thus the many emails waiting for replies) so something
has to change in the long term.
- https://www.mail-archive.com/xz-devel@tukaani.org/msg00563.html
Others respond as well with questions until one guy, pops out of no where, his name is “Jigar Kumar” and he’s making very pushy comments towards a new maintainer, saying that people should either fork or establish a new leader, finishing by saying it’s “sad to see … a repo like this” in his words.
The same Kumar goes on in another reply to say that he “doubts we’ll see a release this year”, telling the maintainer that “you ignore the many patches..” and “you choke your repo”:
With your current rate, I very doubt to see 5.4.0 release this year. The only
progress since april has been small changes to test code. You ignore the many
patches bit rotting away on this mailing list. Right now you choke your repo.
Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?
- https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html
Months later, a security researcher will start questioning the identity of this “Kumar” and how he emerged out of no where and disappeared off the face of the earth just as fast.
Related or not, “Jia Tan” keeps working and slowly, unofficially, becomes the de-facto maintainer of XZ utils. A small compression library, used by every major Linux distro.
Over two years “Jia Tan” added changes, slowly, bit by bit, with commits that didn’t come up on any radar:
They even contributed a PR that was merged into Google’s oss-fuzz
project to disable information coming up from the library.
Google’s project’s purpose is “uncovering programming errors in software… (that)… can have serious security implications” 🤔 https://github.com/google/oss-fuzz/pull/10667
He then went on and used yet another alias to ask for XZ updates from the community, pushing the fixes even further. Fixes, that will soon be identified as a backdoor in the Linux SSH protocol.
The back door part comes into play with one of the main ways xz is used - SSH. SSH is an encrypted protocol between two machines where text commands can be exchanged, allowing a user to interact with a server. It’s a very common utility in the Linux world and the security of this communication is critical. The back door means that the connection is no longer private and could allow an attacker to insert their own text commands into the secure connection.
Andres Freund, A software developer at Microsoft, randomly notices “odd symptoms” when his SSH login process took a tiny bit longer. How much? 600 milliseconds. 600 milliseconds between the world, and one of the greatest zero-day Linux vulnerabilities ever found.
Andres noticed the CPU levels went noticeably higher than expected and went down the rabbit hole, investigating the library leading to the issue and reporting his findings with a clear message:
The reason this was ever discovered is that the injected code was heavily reliant on in-memory computational processes, which replaced symbols in real time, effectively allowing other parties in on the SSHd process.
Quoting Andres again : > “This is the quite slow step that made me look into the issue.”
The news blow up, every major news outlet, security news, Linux distros and even cloud providers started sharing the news, either covering the story, urging users to update their systems.
Keep in mind this is still VERY fresh. New information is discovered by the minute. And while the project is already disabled on Github, if you follow the news closely you’ll keep getting updates revealing information over this absolutely crazy story.
It’s still unclear who’s the mysterious Jia Ten, whether the other names are aliases or maybe, maybe, this is a nation backed actor, or even a group, slowly building their own zero days vulnerability into one of the worlds most sensitive protocols!
The silver lining here, is that staying out of the infection zone is rather easy, downgrade of upgrade from the infected version, or just upgrade your linux to latest will solve the problem. Moreover, Not all distros even use the compromised library, it’s mostly Debian but others as well. If you want to be 100% sure, as said - just upgrade and you’ll be fine.
Moreover, in the majority of cases the vulnerable version didn’t get released into any major stable version so most users should be safe, but it’s still wise to monitor the situation and make sure all systems and utils are up to date.
Special thanks to Andres, who was diligant, focused and curious enough to help the world fix one of the worst malicious bugs ever! Be like Andres!
Links:
Thank you for reading, I hope you liked it, and maybe even learned something new.
Enjoy your weekend!
Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!
This Neovim "Plugin" Replaces 40 Others You know the feeling of finding a new improvement to your setup that you KNOW is going to change it completely? "Imagine living your entire life carrying heavy loads on your back dragging things through the road thinking: `well that's just how it is`" - Homo sapiens, before the invention of the wheel That's exactly what coding without mini.nvim feels like once you've experienced its power, especially if you're Neovim setup was closer to vanilla. Will...
This $600 Keyboard's Best Feature Is Also Its Biggest Flaw I always felt like my keyboard was missing something. First, it was the ergonomic split that my wrists craved. Then, when I got my Moonlander, it was the awkward reach for crucial keys (what's up with that thumb cluster ZSA?). Until one day, I stumbled upon a keyboard that seems similar, but is very much different: the Dygma Defy, a keyboard that promised to turn my thumbs into power users. The Defy arrived like a treasure chest....
THIS Is The Terminal For People Who Just Want Things To Work Picture this: You're watching a skilled developer, one that you value their skills, repeatedly hitting the up arrow key, hunting for that command they used yesterday. Then, another senior, pops up three different default terminal windows just to show you their process running, while sending requests from the other, instead of simply splitting their terminal screen. Sound familiar? That's the reality for the vast majority of terminal...