Backdoor in upstream xz/liblzma leading to SSH server compromise (openwall.com) (via Hacker News)

darkimmortal

@davide said:

@raindog308 said:
Are you running unstable?

My 12.5 systems show liblzma5 is at 5.4.1-0.2

No, I checked all VMs and OSes, I even have one Ubuntu instance at Oracle, none have the affected versions of liblzma5. But the xz project itself is a disaster, I personally looked into the configure/build scripts and the release tarballs, it is something I don't want on my machines, it would superficially appear as an incompetent dumpster of garbled code but in hindsight it is meant to hide defects. And I read indirectly that the xz archival format, its multiple layers of encapsulation and its plugin mechanism are excessively over-engineered and undocumented. The whole xz thing is condemned regardless of the version.

It’s a real shame lzip was not adopted instead. The only compression format that handles corruption without losing the rest of the stream, ie the only compression format fit for purpose to use with tar

Maounique

@davide said: The whole xz thing is condemned regardless of the version.

I think that the same criticism might be applied to many other projects. Of course, with the microscope on it, this one steals the spotlight, but the old adage that "if the architects would have built the towns the way the programmers are building their code, any woodpecker would be able to destroy civilization" still applies.

Intentional malice, though, is the next 2 levels up.

Maounique

@matey0 said: Either way, unless a server explicitly disables root logins the exploit will certainly work - regardless of any firewall configuration.

Allowing only certain IPs in the firewall would block that but, yes, for as long as the attacker can connect to the SSH port, I believe the exploit would work.

Not a criticism, just a vague amendment to the "any" statement and also a reminder that one could always be very strict regarding firewalls without actually breaking functionality. If your server needs to allow only certain other servers to connect and you are the only one who has any business ssh-ing into it then allowing only those IPs and only those ports is a very good idea.

matey0

@Maounique said: Allowing only certain IPs in the firewall would block that but

Well, duh. Of course if the service is totally inaccessible to an attacker over the network it's not practically exploitable. Doesn't change the fact that it's theoretically vulnerable (for example as a local root privilege escalation exploit).

Maounique

@matey0 said: Well, duh.

As I said, not a criticism

Many ppl read here, some of them newbies running a game server and whatnot, I try to be Captain Obvious for most people here but also give some info and ideas to newbies.

matey0

@Maounique said:

@matey0 said: Well, duh.

As I said, not a criticism

Many ppl read here, some of them newbies running a game server and whatnot, I try to be Captain Obvious for most people here but also give some info and ideas to newbies.

Yeah, I think my response came off more rude than I intended, sorry.
The advice you gave is good and cases like these show how this kind of firewall "paranoia" is just sound security practice that prevents headaches down the road!