Search the Community

The OpenJS Foundation, which oversees multiple JavaScript projects, thwarted a takeover attempt of at least one project that has echoes of the dangerous backdoor found in versions of the XZ Utils data compression library that failed only because a Microsoft engineer incidentally discovered it. The malicious code targeting XZ Utils was put together over two.. The post XZ Utils-Like Takeover Attempt Targets the OpenJS Foundation appeared first on Security Boulevard. View the full article

Executive Summary On March 29, 2024, developer Andres Freund reported the discovery of a backdoor in XZ Utils, affecting v5.6.0 and 5.6.1. XZ Utils, which provides compression tools for the .xz format, is included in a wide range of Linux distributions and projects. Tracked by CVE-2024-3094, this backdoor gives a specific attacker Remote Code Execution … Read More The post Balbix Guide to XZ Utils Backdoor appeared first on Security Boulevard. View the full article

The post The XZ backdoor: What security managers can learn appeared first on Click Armor. The post The XZ backdoor: What security managers can learn appeared first on Security Boulevard. View the full article

CVE-2024-3094 is a critical Remote Code Execution (RCE) vulnerability found in the popular open-source XZ Utils library. This vulnerability affects XZ Utils versions 5.6.0 and 5.6.1 and could enable unauthorized attackers to gain remote access to affected systems. About XZ Utils XZ Utils is very popular on Linux. It supports lossless data compression on almost […] The post CVE-2024-3094: RCE Vulnerability Discovered in XZ Utils appeared first on Kratikal Blogs. The post CVE-2024-3094: RCE Vulnerability Discovered in XZ Utils appeared first on Security Boulevard. View the full article

Vulnerability Overview Recently, NSFOCUS CERT detected that the security community disclosed a supply chain backdoor vulnerability in XZ-Utils (CVE-2024-3094), with a CVSS score of 10. Since the underlying layer of SSH relies on liblzma, when certain conditions are met, an attacker can use this vulnerability to bypass SSH authentication and gain unauthorized access on the […] The post XZ-Utils Supply Chain Backdoor Vulnerability Updated Advisory (CVE-2024-3094) appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.. The post XZ-Utils Supply Chain Backdoor Vulnerability Updated Advisory (CVE-2024-3094) appeared first on Security Boulevard. View the full article

What can be done to protect open source devs from next xz backdoor drama?View the full article

... Read more » The post xz backdoor Part 2: On the Importance of Runtime Security in the Age of OSS Backdoors appeared first on Deepfactor. The post xz backdoor Part 2: On the Importance of Runtime Security in the Age of OSS Backdoors appeared first on Security Boulevard. View the full article

The beta version of Ubuntu 24.04 won’t be released on time, the developers have confirmed, following concerns about a major security threat. Instead of launching on April 4, the latest Ubuntu version, which also holds the codename Noble Numbat, will now be released on April 11 after developers Canonical decided to push the release for a week because of the discovery of CVE-2024-3094, a critical vulnerability recently discovered in xz-utils. XZ-utils is a set of data compression tools and libraries used by major Linux distros. The vulnerability was introduced to XZ version 5.6.0 by a pseudonymous attacker, and persisted throughout 5.6.1 as well. Securing future versions The majority of Linux distros seem to be affected by the flaw. Ubuntu 24.04 (but not older versions), Red Hat, Fedora Rawhide, and Fedora 40, as well as some Kali Linux versions, and some Arch Linux installation media, are affected. Red Hat Enterprise Linux (RHEL) versions, stable Debian releases, as well as Linux Mint, Gentoo Linux, Alpine Linux and Amazon Linux are not affected, it was said. In the Discourse post, Canonical said it will “remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 code was committed to xz-utils (February 26th), on newly provisioned build environments." This should make the latest Ubuntu release safe from the vulnerability which was given a severity score of 10.0. Tom’s Hardware speculates that the launch of the final 24.04 version - planned for April 25 - could also be delayed. A survey on Mastodon, set up by a former Canonical employee, showed that out of roughly 100 respondents, only a slim majority (56% versus 44%) expects the version to be released on time. Earlier this week, Binarly released a free scanner to make hunting for the flaw faster, more seamless, and with fewer false positives. More from TechRadar Pro Huge backdoor discovered that could compromise SSH logins on LinuxHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

The discovery of the backdoor in xz utils compression software last week has shone a spotlight on the threats to the digital supply chain. Wired has an excellent analysis on the attack, theorizing the years-long campaign may have been by the Russian foreign intelligence service (which was also behind the SUNBURST aka Solarwinds attack). Here […] The post XZ and the Threats to the Digital Supply Chain appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise. The post XZ and the Threats to the Digital Supply Chain appeared first on Security Boulevard. View the full article

The Ubuntu 24.04 beta has been delayed for a week due to malicious code in the xz-utils package. Updates and fixes are being worked on. View the full article

xz is a widely distributed package that provides lossless compression for both users and developers, and is included by default in most, if not all, Linux distributions. Created in 2009, it has since released numerous versions. As an open-source project, it is available on GitHub. However, as of the time of writing this article, attempting […] The post A Deep Dive on the xz Compromise appeared first on TuxCare. The post A Deep Dive on the xz Compromise appeared first on Security Boulevard. View the full article

The cybersecurity world got really lucky last week. An intentionally placed backdoor in xz Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica: Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware... The post xz Utils Backdoor appeared first on Security Boulevard. View the full article

I have been recently watching The Americans, a decade-old TV series about undercover KGB agents living disguised as a normal American family in Reagan’s America in a paranoid period of the Cold War. I was not expecting this weekend to be reading mailing list posts of the same type of operation being performed on open source maintainers by agents with equally shadowy identities (CVE-2024-3094). As The Grugq explains, “The JK-persona hounds Lasse (the maintainer) over multiple threads for many months. Fortunately for Lasse, his new friend and star developer is there, and even more fortunately, Jia Tan has the time available to help out with maintenance tasks. What luck! This is exactly the style of operation a HUMINT organization will run to get an agent in place. They will position someone and then create a crisis for the target, one which the agent is able to solve.” The operation played out over two years, getting the agent in place, setting up the infrastructure for the attack, hiding it from various tools, and then rushing to get it into Linux distributions before some recent changes in systemd were shipped that would have stopped this attack from working. An equally unlikely accident resulted when Andres Freund, a Postgres maintainer, discovered the attack before it had reached the vast majority of systems, from a probably accidental performance slowdown. Andres says, “I didn’t even notice it while logging in with SSH or such. I was doing some micro-benchmarking at the time and was looking to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd. Which showed lots of cpu time in code with perf unable to attribute it to a symbol, with the dso showing as liblzma. Got suspicious. Then I recalled that I had seen an odd valgrind complaint in my automated testing of Postgres, a few weeks earlier, after some package updates were installed. Really required a lot of coincidences.” It is hard to overstate how lucky we were here, as there are no tools that will detect this vulnerability. Even ex-post it is not possible to detect externally as we do not have the private key needed to trigger the vulnerability, and the code is very well hidden. While Linus’s law has been stated as “given enough eyeballs all bugs are shallow,” we have seen in the past this is not always true, or there are just not enough eyeballs looking at all the code we consume, even if this time it worked. In terms of immediate actions, the attack appears to have been targeted at subset of OpenSSH servers patched to integrate with systemd. Running SSH servers in containers is rare, and the initial priority should be container hosts, although as the issue was caught early it is likely that few people updated. There is a stream of fixes to liblzma, the xz compression library where the exploit was placed, as the commits from the last two years are examined, although at present there is no evidence that there are exploits for any software other than OpenSSH included. In the Docker Scout web interface you can search for “lzma” in package names, and issues will be flagged in the “high profile vulnerabilities” policy. So many commentators have simple technical solutions, and so many vendors are using this to push their tools. As a technical community, we want there to be technical solutions to problems like this. Vendors want to sell their products after events like this, even though none even detected it. Rewrite it in Rust, shoot autotools, stop using GitHub tarballs, and checked-in artifacts, the list goes on. These are not bad things to do, and there is no doubt that understandability and clarity are valuable for security, although we often will trade them off for performance. It is the case that m4 and autotools are pretty hard to read and understand, while tools like ifunc allow dynamic dispatch even in a mostly static ecosystem. Large investments in the ecosystem to fix these issues would be worthwhile, but we know that attackers would simply find new vectors and weird machines. Equally, there are many naive suggestions about the people, as if having an identity for open source developers would solve a problem, when there are very genuine people who wish to stay private while state actors can easily find fake identities, or “just say no” to untrusted people. Beware of people bringing easy solutions, there are so many in this hot-take world. Where can we go from here? Awareness and observability first. Hyper awareness even, as we see in this case small clues matter. Don’t focus on the exact details of this attack, which will be different next time, but think more generally. Start by understanding your organization’s software consumption, supply chain, and critical points. Ask what you should be funding to make it different. Then build in resilience. Defense in depth, and diversity — not a monoculture. OpenSSH will always be a target because it is so widespread, and the OpenBSD developers are doing great work and the target was upstream of them because of this. But we need a diverse ecosystem with multiple strong solutions, and as an organization you need second suppliers for critical software. The third critical piece of security in this era is recoverability. Planning for the scenario in which the worst case has happened and understanding the outcomes and recovery process is everyone’s homework now, and making sure you are prepared with tabletop exercises around zero days. This is an opportunity for all of us to continue working together to strengthen the open source supply chain, and to work on resilience for when this happens next. We encourage dialogue and discussion on this within Docker communities. Learn more Docker Scout dashboard: https://scout.docker.com/vulnerabilities/id/CVE-2024-3094 NIST CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-3094 View the full article

The open source community, federal agencies and cybersecurity researchers are busy trying to get their hands around the security near-miss of the backdoor found in versions of the popular XZ Utils data compression library. The malicious code apparently was methodically put together by bad actors over more than two years. It was incidentally discovered by.. The post The Cybersecurity Industry Starts Picking Through Malicious XZ Utils Code appeared first on Security Boulevard. View the full article

As sure as long weekends arrive in the western world, so too does news of new supply chain attacks. The easter bank holidays were no exception, with the discovery of a targeted attack against the popular XZ compression utility seen in many linux distributions such as fedora, debian to name a few. The post CVE-2024-3094 The targeted backdoor supply chain attack against XZ and libzma appeared first on Security Boulevard. View the full article

The Mend.io research team detected more than 100 malicious packages targeting the most popular machine learning (ML) libraries from the PyPi registry. The post Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise appeared first on Mend. The post Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise appeared first on Security Boulevard. View the full article