News Ubuntu 24.04 Beta delayed due to malicious code in xz-utils, other Linux distros are also affected

[Admin]

The Ubuntu 24.04 beta has been delayed for a week due to malicious code in the xz-utils package. Updates and fixes are being worked on.

Ubuntu 24.04 Beta delayed due to malicious code in xz-utils, other Linux distros are also affected : Read more

 

[artk2219]

The Ubuntu 24.04 beta has been delayed for a week due to malicious code in the xz-utils package. Updates and fixes are being worked on.

Ubuntu 24.04 Beta delayed due to malicious code in xz-utils, other Linux distros are also affected : Read more

I wonder who injected that code into XZ-Utils, I mean there are plenty of candidates, but I wonder who figured it was worth a go this time around.

 

[ezst036]

I wonder who injected that code into XZ-Utils, I mean there are plenty of candidates, but I wonder who figured it was worth a go this time around.

Some of what I have been reading (and of course its all speculative anyways) is that these were state actors, that is, someone like Russia, China, or Iran.

As Linux continues to become more popular this sort of thing is bound to become more common.

For the security-through-obscurity enthusiast, a *BSD is quickly becoming the only option left. Unless its a resource such as XZ, which the BSDs also rely on.

 

[Dingledooda]

Is this just a linux problem . . . . what about all the modems and routers that run linux which you know won't get updated (least the older ones)?

Can they get into the router and then into anyone's computer connected to it now regardless of what OS it is running?

 

[CelicaGT]

I wonder who injected that code into XZ-Utils, I mean there are plenty of candidates, but I wonder who figured it was worth a go this time around.

What we know about the xz Utils backdoor that almost infected the world

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.

arstechnica.com

This is worth a read. Quite the story, came down to ONE PERSON who noticed something funny and blew the whole operation wide open. This one should put chills down the spine of anyone working in IT security.

 

[Notton]

that is, someone like Russia, China, or Iran.

I think there is too little info to point fingers, but I do agree this is nation state level of malware.
What we do know is who would have been most affected.

Seeing as this was targeted towards Debian and Red Hat users...

States with largest Debian share: Cuba, Czech Republic, Germany, Belarus, Russia
States with largest Red Hat share: Bangladesh, Nepal, Sri Lanka, India, Cuba

Linux popularity across the globe - Pingdom

The Linux landscape is constantly changing and has a strong community of both developers and users. But where is Linux the most popular, and where are the different Linux distributions the most popular? To try to answer these questions, we have looked at data from Google with the highly useful...

www.pingdom.com

 

[35below0]

Some of what I have been reading (and of course its all speculative anyways) is that these were state actors, that is, someone like Russia, China, or Iran.

Don't leave out North Korea.

But yeah, speculation only at this point.

 

[TJ Hooker]

Is this just a linux problem . . . . what about all the modems and routers that run linux which you know won't get updated (least the older ones)?

Can they get into the router and then into anyone's computer connected to it now regardless of what OS it is running?

The malicious code was only introduced in a very new release of xz utils. Highly unlikely the affected package version made it into any router FW releases.

 

[TJ Hooker]

Seeing as this was targeted towards Debian and Red Hat users...

The malicious code was introduced in the upstream xz utils source, it affects (or would have affected) any Linux distro that uses that package (so essentially all of them). Debian and Red Hat just happened to be among the first to add the new, compromised versions to their repos (just the development/beta repos though).

 

[artk2219]

What we know about the xz Utils backdoor that almost infected the world

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.

arstechnica.com

This is worth a read. Quite the story, came down to ONE PERSON who noticed something funny and blew the whole operation wide open. This one should put chills down the spine of anyone working in IT security.

That was a pretty fascinating read, it seems like we just got really lucky that someone was paying attention with this one.

 

[bit_user]

Some of what I have been reading (and of course its all speculative anyways) is that these were state actors, that is, someone like Russia, China, or Iran.

North Korea is becoming surprisingly adept at hacking. I wouldn't rule them out. Here's an awesome (free) podcast series from the BBC about the DPRK's hacking exploits:

https://www.bbc.co.uk/programmes/w13xtvg9
​

As Linux continues to become more popular this sort of thing is bound to become more common.

Given it's already far and away the dominant cloud OS, as well as being used for scientific and DoE (i.e. military) supercomputing, it's already a plenty juicy target. I'm actually surprised this sort of thing hasn't been happening a lot more!

For the security-through-obscurity enthusiast, a *BSD is quickly becoming the only option left. Unless its a resource such as XZ, which the BSDs also rely on.

🤔

 

[bit_user]

That was a pretty fascinating read,

Agreed.

it seems like we just got really lucky that someone was paying attention with this one.

Not only that, but that the backdoor misbehaved in ways that drew attention to itself. I'm confident it would've been noticed sooner rather than later, being so badly behaved. Now, imagine it didn't introduce extra latency or memory errors. That's what should worry us. We really can't rule out the possibility that similar, but better-implemented backdoors are already out in the wild!

BTW, I think it was really creative of them not to try and hide the backdoor directly in the source code. That's where most of the security scanning tools are looking. Instead, it seems the focus must be on the actual compiled binaries, which is a bigger challenge.

 

[anakwaboe4]

The malicious code was introduced in the upstream xz utils source, it affects (or would have affected) any Linux distro that uses that package (so essentially all of them). Debian and Red Hat just happened to be among the first to add the new, compromised versions to their repos (just the development/beta repos though).

From what i understand malicious code in xz-utils was used to create a backdoor in sshd when you installed/upgraded that.
Vanilla OpenSSH is not depended on liblzma (and that is depended on xz-utils). So not all linux distro's sshd is depended on xz-utils.
That is how we get to the list of compromised linux distro's. (xz-utils is used in many more places then there)
Having said that would you trust a compromised xz-utils to unpack any other application even if it should not create a backdoor.
Better to downgrade to a trusted version.

PS: forgive any English grammar errors, English is my third language.
Good source for a deeper dive: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

 

[RichardtST]

What we know about the xz Utils backdoor that almost infected the world

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.

arstechnica.com

This is worth a read. Quite the story, came down to ONE PERSON who noticed something funny and blew the whole operation wide open. This one should put chills down the spine of anyone working in IT security.

No chills. Backdoors are expected these days. Linux is known to be severely lacking in security. That said, most users will give you their password if you just call them up and ask them. Backdoors are the least of my problems. We're at the point in "software engineering" where fixing one vulnerability causes 1.5 more. It's accelerating. Pretty soon we'll have to give up and just use physical typewriters and paper again. It's getting REALLY bad.

 

[bit_user]

From what i understand malicious code in xz-utils was used to create a backdoor in sshd when you installed/upgraded that.
Vanilla OpenSSH is not depended on liblzma (and that is depended on xz-utils). So not all linux distro's sshd is depended on xz-utils. That is how we get to the list of compromised linux distro's.

Ah, yes. The ArsTechnica article points out that ssh picks up the dependency on liblzma via libsystemd. I found that dependency a little surprising, and it makes sense that it's distro-specific.

Having said that would you trust a compromised xz-utils to unpack any other application even if it should not create a backdoor.

If the only function of the hack is to affect ssh, then not really.

Better to downgrade to a trusted version.

Without a doubt!

PS: forgive any English grammar errors, English is my third language.

Humble brag.
; )

 

[bit_user]

No chills. Backdoors are expected these days. Linux is known to be severely lacking in security. That said, most users will give you their password if you just call them up and ask them. Backdoors are the least of my problems. We're at the point in "software engineering" where fixing one vulnerability causes 1.5 more. It's accelerating. Pretty soon we'll have to give up and just use physical typewriters and paper again. It's getting REALLY bad.

Not sure if you're trying to write satire, but I can't find a single sentence in your post that's entirely true. The most true part is about users' susceptibility to social engineering, but even that is (slowly) improving.

In the past decade or so, the quality and pervasiveness of security scanners has really improved. On the language front, we now have Rust, which is finding its way into the kernel. Organizations are getting much more security conscious, including those which do software development. We cannot ship a product with any known CVEs above a certain threshold, for instance.

Plus, a decade ago, the various side-channel attacks on CPUs were virtually unknown. Now, they're quite well-appreciated and the ones still being discovered tend to be more esoteric and harder to exploit.

Assuming your post was sincere, I think what happened is that the industry (including news outlets) have become much more sensitive to security and are now just covering it a lot better than before. So, you hear about security issues more often, because there are more researchers looking for breaches and they get more heavily reported, but that doesn't mean security is actually getting worse.

 

[dad98253]

Raspberry PI uses an ARM based cpu. As far as we know, only the 64 bit Intel/AMD cpus are effected. But, investigation continues...

 

[CmdrShepard]

Some of what I have been reading (and of course its all speculative anyways) is that these were state actors, that is, someone like Russia, China, or Iran.

Honest questions, I hope moderators won't see them as veering into politics.

1. Is there any concrete proof of those countries being involved?
2. Does the term "state actor" somehow magically exclude USA and its 3-letter agencies such as NSA or CIA?

I don't think CIA doing it is so far fetched, they already have a track record with Crypto AG.

 

[CmdrShepard]

Plus, a decade ago, the various side-channel attacks on CPUs were virtually unknown.

To you and me.

So, you hear about security issues more often, because there are more researchers looking for breaches and they get more heavily reported, but that doesn't mean security is actually getting worse.

It is getting objectively worse because the code is getting progressively larger (feature creep) and harder to audit.

 

[35below0]

1. There cannot be.
2. It does not. The USA being a democratic society, the people have control over the power their government excercises. Others listed are unrestricted.

 

[bit_user]

1. Is there any concrete proof of those countries being involved?
2. Does the term "state actor" somehow magically exclude USA and its 3-letter agencies such as NSA or CIA?

I don't think CIA doing it is so far fetched, they already have a track record with Crypto AG.

If the USA were backdooring anything, it'd be the NSA. However, the Congressional mandate of the NSA requires it to protect U.S. communications networks and information systems. That would clearly rule out uncontrolled deployment of such an exploit. Furthermore, the NSA has previously been reprimanded even for failing to report exploits that could jeopardize US communications networks and systems, which they were aware of but had no hand in. Given that, it seems implausible this was by their hand.

It's funny how you seem initially skeptical that it's a state actor, but then take such a wild leap.

 

[35below0]

Concrete proof of espionage? Or sabotage? Never happens unless a former agent or official spills the beans and even then the evidence is sketchy at best.