Vulmon
Hi,
This is an update on some developments in the recent 2 weeks.
OpenSSH
=======
For upstream OpenSSH, Damien Miller and others have implemented systemd
notifications without reliance on libsystemd:
Bug 2641 - Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641
"Committed as 08f579231cd38 and will be in OpenSSH-9.8, due around
June/July."
In response to Andres Freund's proposal, Damien also implemented a patch
to reduce OpenSSH's attack surface:
Bug 3675 - CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675
not yet committed?
systemd
=======
Upstream systemd's libsystemd has been modified to dlopen() many of its
dependency libraries on demand:
Reduce dependencies of libsystemd #32028
https://github.com/systemd/systemd/issues/32028
The issue above is fixed by pull requests "gcrypt: dlopenify for
libsystemd #32019", "Dynamically load compression libraries #31550",
"man: document that using sd_journal APIs might cause dlopen to happen
and add self-contained notify protocol example #32030", and other
related fix-ups.
xz backdoor analysis
====================
More findings were made about the backdoor's functionality, notably as
published on April 6 by blasty, who discovered that besides triggering
system() the backdoor also allows interactive sessions:
https://twitter.com/bl4sty/status/1776691497506623562
blasty also implemented a "simple SSH Agent that implements some of the
XZ sshd backdoor functionality":
https://github.com/blasty/JiaTansSSHAgent
On Sun, Mar 31, 2024 at 10:25:02PM +0200, Solar Designer wrote:
Updates of smx-smx's gist above have stopped at revision 60, which I'm
attaching here for archival. Not a lot was added since revision 52.
smx-smx also maintains xzre "that is linked against the malicious object
file in order to instrument and call into the malware code, particularly
the x64 disassembler":
https://github.com/smx-smx/xzre
and yes, there's a specialized disassembler inside the backdoor code.
The friends at Binarly have produced a later but very detailed analysis,
which I'm also attaching the main .md file of:
https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor
Other related repos with tools include:
xzbot "notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)"
https://github.com/amlweems/xzbot
xz-min "Minimal setup to trigger the xz backdoor"
https://github.com/felipec/xz-min
Timeline
========
In an otherwise inappropriate rejected posting, Steffen Nurpmeso wrote:
which is a good presentation of the attack timeline, with references to
sources and analyses by others.
(The beginning of this oss-security thread until April 1st inclusive
went through in its entirety - nothing rejected - but I did reject a few
postings on April 2nd and on.)
OpenJS Foundation "Failed Credible Takeover Attempt"
====================================================
On April 15, the OpenJS and OpenSSF foundations released the following:
https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/
I'll quote an excerpt:
Alexander