Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp589056lqb; Wed, 17 Apr 2024 05:46:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVHd2OYDiq11U/srCzer+IxnI5TVdeNaP/rQETWNVRfG4JFaA0A5g6jkw4z5B/wFVVS2lIopAAt1BEDJ5HDGJYS5jMtFaM8VpmzYNdQGA== X-Google-Smtp-Source: AGHT+IFSbzpN/vmaTuHY2hPoeGD43U210A4nYZmW3IR0qcoJ/0aJqqR+YjLexQn6nJ0DLSqY+010 X-Received: by 2002:a0c:eace:0:b0:69b:b549:b2c5 with SMTP id y14-20020a0ceace000000b0069bb549b2c5mr7340387qvp.19.1713358005917; Wed, 17 Apr 2024 05:46:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713358005; cv=none; d=google.com; s=arc-20160816; b=NclT3LTNm+Lk29XMCFGzynUiVfc1PlFVDbEayO/9ZpePJI7rz2VxI5228tXaQSJ2rv txqaIhbuDzghm9g4J6NuM9Iu6gOHbwwy8cdszApYMYCOVMEmccMU+bUoF6B1IsUEUvOR 2/pDVOGVLzJ9Ot1dV9p982BaClZRCRLdB/q833Zq9NdRcsB7s9BiPSt2kYyibIwhy9eB gDNzPKC66y6gZsZCuPUfLV7/cZnwuvidTnqfSC8q2tEGr4BjoB/h5+9Z57LY7CodWkPq Vn6mQwg801orxVO0Izb9mxK7aKkQXGrWr9RWyljwPTHEZInhyg1Sf0fALD+URYG5Mmx0 c8Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-transfer-encoding:in-reply-to:references:to :mime-version:user-agent:from:date:message-id:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=BqLgO6uZWUOsoeBv815tKIcDppNKs8LTICi9QVvv0Qc=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=ZmJxxFA6TUULOOd5INQUnDQRDTno88moOoag+u/CZp4PGxDjV23nsY5Q6WHv36K0Kd LCWGkaX9k3iymYnwCOPVAdQ7yIVT7LUdo3FUfdgAvYdiQ30Qpkr2qvdiaxOqVoxi61IE JMBKSJzQYod61B6QXbbOIfQF0KBDVElbhvC4gII0o0OsniQ6beiTTxfzpbFr69SR65mn aQI0p9zoROfI0NPpMmdwOk55YEts8KWIX1SQIPLMXFxordOw8NXdmwvjwIshieRLYnjr BqHnXaQ5Y7CKwa4zQCn8s8R3c9nn57GfSOKUsoBLcsdjCWmXq0XDgeWYuGk2DHMLHU9o CNPQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=GjhashXt; spf=pass (google.com: domain of oss-security-return-30041-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30041-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id s28-20020a05621412dc00b0069b1f0bcea8si13713244qvv.93.2024.04.17.05.46.45 for ; Wed, 17 Apr 2024 05:46:45 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30041-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=GjhashXt; spf=pass (google.com: domain of oss-security-return-30041-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30041-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 3503 invoked by uid 550); 17 Apr 2024 12:46:29 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 10207 invoked from network); 17 Apr 2024 02:26:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713320755; x=1713925555; darn=lists.openwall.com; h=content-transfer-encoding:in-reply-to:references:subject:to :mime-version:user-agent:reply-to:from:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=BqLgO6uZWUOsoeBv815tKIcDppNKs8LTICi9QVvv0Qc=; b=GjhashXtIjPbenWmZcbLcDkZtghwEhNRw6TiTicuplE4lbfAtl71LEi+lUIP7jv0Lu nbCrReM4Q3LqC7Ig7mEt/JuFPpB3sPam0aRLBB87yADAP8Z4xs823MdrZAS4eFtLE4Ca snFqbE7or9iBj09+5B/F6pakMYBoqFN1o12iqilVGckW83ePapqWpGlIWAZl243vGsGL eqiodJbQPyY9ioBGONQ1HK+szaQCvVNwvQ1b88dmg/TYdbdurDjSOWl68OI8/F/Xvxxg DomWWrqhPuiVxliSqMD7qFQ/6KjwxCiyFrT3O/H6vr0gRpXRuIl8NdzjMwMge3aWMa0z a91g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713320755; x=1713925555; h=content-transfer-encoding:in-reply-to:references:subject:to :mime-version:user-agent:reply-to:from:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BqLgO6uZWUOsoeBv815tKIcDppNKs8LTICi9QVvv0Qc=; b=GJ9A9N2h7mjX7cdf29YL3jqY50OAvmAtrdejgslBXEtHiAfj/Z8PFbXrrdIbWqbsBr HWutpUrEm7120AvNK8sOmz6Wq9bb0tosm7Sww1ickHuDIK3e42jbfI48EXTHY61xWKQs LKcLjKfQ0KQNWWH1ENshd8HGh4UCgVfbmFXSemJVYWGnMVRkOL33d+7jiLxcnDsUVJnx GyAPW42qeO8CETmuS46L+1QOP2l/yYhCkri55TbFZM0jSIk0k0MoVof70Qmi6HzVlduB 7cYTpT0L0pFYgPu66PH8T5O5aTD587a185nG1qWCnOBm0kfFw7QuRysg2IW8uCWRNZUF hw2g== X-Gm-Message-State: AOJu0Yw3U7A57HA6R3dGEmlextr1tldsbBsekXlYya8MHhYQ7wAApGq6 be/x0c7nR8V9z76u6DsrqtzWK39Pi7+OkSWOfSiquD0tdXoUE1N60nzAgQ== X-Received: by 2002:a05:6870:b514:b0:22e:d20d:1274 with SMTP id v20-20020a056870b51400b0022ed20d1274mr18407558oap.9.1713320755399; Tue, 16 Apr 2024 19:25:55 -0700 (PDT) Message-ID: <661F3331.3020408@gmail.com> Date: Tue, 16 Apr 2024 21:25:53 -0500 From: Jacob Bachmeyer User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 MIME-Version: 1.0 To: oss-security@lists.openwall.com References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de> <20240331202502.GA21116@openwall.com> <20240416225900.GA23474@openwall.com> In-Reply-To: <20240416225900.GA23474@openwall.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer wrote: > [...] > > xz backdoor analysis > ==================== > > More findings were made about the backdoor's functionality, notably as > published on April 6 by blasty, who discovered that besides triggering > system() the backdoor also allows interactive sessions: > > https://twitter.com/bl4sty/status/1776691497506623562 > > >> [...] There is almost certainly more yet to be uncovered: Andres Freund's original report included timing for SSH client connections requesting a nonexistent account using publickey auth. The backdoored SSH server was found to require significantly longer to reject those requests than the untampered sshd. I do not believe that the currently known backdoor hooks are reachable by that means, so why did Andres Freund see that particular slowdown? (Not the backdoor initialization making sshd take longer to start up---a running sshd taking longer to reject a session for a nonexistent account, unless Andres Freund forgot to tell us that he was running sshd from inetd and thereby including sshd startup latency in his measurements.) > [...] > > OpenJS Foundation "Failed Credible Takeover Attempt" > ==================================================== > > On April 15, the OpenJS and OpenSSF foundations released the following: > > https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers > https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ > > I'll quote an excerpt: > > >> The OpenJS Foundation Cross Project Council received a suspicious series >> of emails with similar messages, bearing different names and overlapping >> GitHub-associated emails. These emails implored OpenJS to take action to >> update one of its popular JavaScript projects to "address any critical >> vulnerabilities," yet cited no specifics. The email author(s) wanted >> OpenJS to designate them as a new maintainer of the project despite >> having little prior involvement. This approach bears strong resemblance >> to the manner in which "Jia Tan" positioned themselves in the XZ/liblzma >> backdoor. >> >> [...] Concerning, yes, but not quite the "Jia Tan" /modus operandi/---"Jia" seems to have been contributing patches for some time (with sockpuppets pushing their acceptance as needed) before making a move to be appointed co-maintainer of xz. This looks to me like the common cybercrooks have seen the technique, decided that it sounds like a great idea, and are now trying to use it, but do not have the patience that the "Jia Tan" gang had. In other words, now the "Nigerian Princes" want to help you maintain your project, just give them write access to the source repository up front. :-P I also want to call out a critical detail: claims of vulnerabilities with no specifics that would aid in actually fixing them. This should be a general red flag: *anyone* who makes such claims is probably up to no good. Lastly, thank you for making the summary. -- Jacob