[security] backdoor in upstream xz/liblzma

girish

Some of you might have seen the recent issue in xz - https://www.openwall.com/lists/oss-security/2024/03/29/4 . There was a backdoor in the upstream release tarballs that leads to ssh server compromise. There is a detect.bin attached in the end of that email. Might want to run that to check if your server is affected.

#! /bin/bash

set -eu

# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

# does it even exist?
if [ "$path" == "" ]
then
	echo probably not vulnerable
	exit
fi

# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
	echo probably vulnerable
else
	echo probably not vulnerable
fi

I am yet to find a system that is affected, so let's see how Cloudron needs to respond.

girish

https://boehs.org/node/everything-i-know-about-the-xz-backdoor and https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ are great reads!

matix131997

I think I saw on the ubuntu forum that the 22.04 version had 5.4.x. So we can quietly breathe a sigh of relief. And in the future version 24.04 it already had a faulty version and then they started to fix it as it became known about this problem.

EDIT: https://ubuntu.com/security/CVE-2024-3094

Forum: https://askubuntu.com/questions/1509015/is-ubuntu-affected-by-the-xz-backdoor-compromise

murgero

I believe @matix131997 is correct, but maybe in a quick patch, use apt to hold that package for those that may have modified the repos in some way (probably not common, but a good thing to attempt to prevent)

girish

@murgero yes, I think Cloudron installations are unaffected unless someone manually updated to latest openssh