#security (2024-04)

Archive: https://archive.sweetops.com/security/

2024-04-04

Hao Wang avatar
Hao Wang
Hao Wang avatar
Hao Wang

thanks to this gentleman, “the distros are built from released tar files but not from source codes”

Hao Wang avatar
Hao Wang

one of the reasons that xz cve happened (even though it is not the main reason, but a reminder)

Hao Wang avatar
Hao Wang

there will be more similar cves got disclosed, just a feeling

2024-04-06

Hao Wang avatar
Hao Wang
eBPF & Tetragon: Tools for detecting XZ Utils CVE 2024-3094 Exploit - Isovalentattachment image

Detecting XZ Utils liblzma CVE 2024-3094 backdoor exploit with Tetragon and eBPF. Includes ready to apply yaml policy.

Hao Wang avatar
Hao Wang

the person behind the hack should know kernel very well, the bash script reminds me the booting codes of Linux kernel

eBPF & Tetragon: Tools for detecting XZ Utils CVE 2024-3094 Exploit - Isovalentattachment image

Detecting XZ Utils liblzma CVE 2024-3094 backdoor exploit with Tetragon and eBPF. Includes ready to apply yaml policy.

Hao Wang avatar
Hao Wang

The open-source project owners who are experiencing mental health issues are the targets of social engineering

this1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t even think it requires “mental health” issues.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There’s a classic post about what it’s like to be an open-source maintainer. It can take some thick skin to be successful at it. Of course, it’s only exasperated by mental health issues, and there are so many trolls out there. Anyone with a penchant for pleasing others, those who have trouble saying “no,” or generally trusting individuals are all susceptible to this kind of attack.

https://nolanlawson.com/2017/03/05/what-it-feels-like-to-be-an-open-source-maintainer/

What it feels like to be an open-source maintainer

Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them,…

Hao Wang avatar
Hao Wang

just a reminder from long time observation, they are very very low…

Hao Wang avatar
Hao Wang

when this xz happened at the first time, I got a question on my mind, the English commit messages are so fluent, https://research.swtch.com/xz-timeline. Did the xz owner Lasse Collin talked to Jia Tan before, either face to face or voice? Did anyone know Lasse Collin or see him before? When did ssh include liblzma?

Hao Wang avatar
Hao Wang

libsystemd does depend on lzma , does this mean systemd is hacked?

Hao Wang avatar
Hao Wang
Filippo Valsorda (@filippo.abyssdomain.expert)

I’m watching some folks reverse engineer the xz backdoor, sharing some preliminary analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server’s host key by a fixed Ed448 key, and then passes a payload to system().

It’s RCE, not auth bypass, and gated/unreplayable.

[contains quote post or other embedded content]

Hao Wang avatar
Hao Wang
blasty (@bl4sty) on Xattachment image

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n

Hao Wang avatar
Hao Wang
Danielle Aminov (@AminovDanielle) on Xattachment image

I’ve been looking into how the xz backdoor works and drew this sketch to make it easier to understand. I’ll update it as new information comes to light

Hao Wang avatar
Hao Wang
This backdoor almost infected Linux everywhere: The XZ Utils close callattachment image

For the first time, an open-source maintainer put malware into a key Linux utility. We’re still not sure who or why - but here’s what you can do about it.

Hao Wang avatar
Hao Wang
blasty (@bl4sty) on Xattachment image

some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. https://t.co/93Y7Ha3V8N

Hao Wang avatar
Hao Wang
blasty (@bl4sty) on Xattachment image

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n

Hao Wang avatar
Hao Wang
CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blogattachment image

CVE-2024-3094 is a malicious code vulnerability in versions 5.6.0 and 5.6.1 of XZ Utils, enabling an SSH authentication bypass in certain Linux distributions

Hao Wang avatar
Hao Wang
Kaspersky analysis of the backdoor in XZattachment image

Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.

Hao Wang avatar
Hao Wang
Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Filesattachment image

Malicious “test files” linked to the XZ Utils backdoor found in popular Rust crate liblzma-sys, downloaded over 21,000 times.

2024-04-07

2024-04-08

2024-04-09

2024-04-11

Hao Wang avatar
Hao Wang

Why CISA is Warning CISOs About a Breach at Sisense

Hao Wang avatar
Hao Wang
Why CISA is Warning CISOs About a Breach at Sisense

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard.…

2024-04-12

    keyboard_arrow_up