一名警惕的开发人员似乎阻止了后门(可能由国家支持的参与者引入到压缩实用程序中)被分发到生产 Linux 系统。 恶意代码似乎允许绕过 SSH 身份验证期间的检查。
发现 xz Utils 中后门的微软软件工程师 Andres Freund 表示,该恶意代码已在 5.6.0 和 5.6.1 版本中引入。 人们怀疑这可能是国家支持的行为,因为该准则已经酝酿了很长时间。
弗罗因德 写道 周五:“在过去几周观察到 Debian sid 安装上的 liblzma(xz 软件包的一部分)周围的一些奇怪症状(使用 ssh 登录占用大量 CPU、valgrind 错误)后,我找到了答案:上游 xz 存储库并且 xz tarball 已被加后门。
“起初我以为这是 Debian 软件包的妥协,但事实证明它是上游的。”
其中一位涉案开发者的账号为JiaT75,他已经担任该软件包的维护者两年多了。 Freund 补充道:“鉴于活动持续了数周,提交者要么直接参与其中,要么他们的系统受到了一些相当严重的损害。
“不幸的是,考虑到他们在各种列表上就上述‘修复’进行了沟通,后者看起来不太可能是解释。” 他提到了可疑的维护者为解决代码问题而建议的各种添加内容: 这里, 这里, 这里, 和 这里。 [Thanks to Dan Goodin for these four links.}
SSH or secure shell is an utility used to log in securely to systems, with the majority of Linux systems using a port known as OpenSSH that is maintained by the OpenBSD project, an Unix clone.
The only production Linux system in which the doctored code was distributed appears to have been the Tumbleweed stream put out by the OpenSUSE project. The developers at that project wrote on Friday: “For our openSUSE Tumbleweed users where SSH is exposed to the Internet, we recommend installing fresh, as it’s unknown if the backdoor has been exploited.
“Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended.
“It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap. Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the Internet.”
Debian issued patched versions of xz Utils for its testing, experimental and unstable streams of development. Red Hat said on Friday, “Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1.”
“At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds. However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe.”
Later, Red Hat added: “We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries – xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions.”
It is likely to be quite some time before calm returns; former senior Debian developer Joey Hess provided one reason, noting that the accounts used by the suspected malicious actors had made more than 700 commits [code contributions] 过去两年。
Hess 写道:“我计算了 Jia Tan 对 xz 的至少 750 次提交或贡献,他为 xz 做了后门。这包括他们在 2023 年 1 月 7 日合并拉取请求后所做的所有 700 次提交,此时他们似乎已经直接有了推送访问权限,这也让他们可以推送伪造作者的提交。在此之前可能还有许多其他提交。
“将后门版本恢复到以前的版本并不足以知道 Jia Tan 没有隐藏其他后门。5.4.5 版本仍然包含大部分这些提交。”
他补充道:“该软件包应该恢复到发布之前的版本。 [the bad actors’] 参与,从提交 6468f7e41a8e9c611e4ba8d34e2175c5dacdbeb4 开始。 或者他们早期的承诺 [should be] 审查并恢复到稍后的时间点,但几乎可以肯定,已知的坏人和恶意行为者的任何任意提交的价值都低于微妙变化被忽视的风险。
“我建议恢复到 5.3.1 – 请记住,在那之后存在安全修复……这需要重新应用。”
受到怀疑的个人似乎也在名单外提供帮助,这可能是为了讨好其他开发人员,从而在出现这些提议时消除任何怀疑。
不出所料,人们对这个问题进行了长时间的讨论; Linux 每周新闻 有一条长线 这里, 尽管 黑客新闻 已有超过2000个帖子 [when I last looked] 这里。
1711846563
2024-03-31 00:31:21
#Alert #开发者可能让 #Linux #用户免于痛苦
