What is happening?
A recent discovery has revealed that a version of liblzma5, a popular open-source software library utilized in xz-utils (formerly LZMA Utils), may have been compromised with a sophisticated backdoor. This compromise potentially enables unauthorized remote access to systems or even remote code execution.
XZ Utils, a collection of free software command-line lossless data compressors, relies on these libraries for its functionality. Moreover, critical Linux system tools like Systemd and OpenSSH also utilize these algorithms and libraries.
It’s important to note that this situation is still unfolding, with ongoing research focused on analyzing the backdoor payload. At this stage, it remains unclear whether the backdoor was specifically targeting SSH or if it poses a threat to other services as well.
Who is affected?
It’s crucial to note that systems utilizing liblzma5 versions 5.6.0 or 5.6.1 are vulnerable to this attack. While these versions are relatively recent, it’s important to assess your system’s vulnerability, especially if you’re on a rolling-release Linux distribution.
The attack appears to specifically target package management systems like Apt (used in Debian and Ubuntu) and RPM-based distributions like Fedora. Additionally, it aims at a combination of Systemd and OpenSSH, indicating a potential threat to systems utilizing these services.
Given the possibility that the attacker had access to modify the Git commit history, it’s prudent to exercise caution and not dismiss the possibility of older versions or alternative exploits existing.
Furthermore, it’s essential to recognize that the scope of this attack might extend beyond Apt and RPM-based distributions, potentially impacting a broader range of operating systems and package management systems. Therefore, vigilance and proactive measures are advisable to mitigate potential risks.
What steps do i need to take?
1, Check version currently installed, and make sure to upgrade to your distros currently recommended version, ESPECIALLY if you are also using systemd.
Below are some other useful commands to do a bit of system reconnaissance with
# Check if Systemd is in use
# If symlink looks like this, yes
ls -al /sbin/init
> lrwxrwxrwx 1 root root 20 Jan 27 08:48 /sbin/init -> /lib/systemd/systemd
# Check if OpenSSH is linked to liblzma5
ldd `which sshd` |grep liblzma
> liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f857d097000)
# Debian/Ubuntu check lib version
apt show liblzma5 |grep Version
> Version: 5.4.1-0.2
# Fedora/Redhat check lib version
yum info xz-libs |grep Version
> Version : 5.4.4
2, Make sure you have public SSH disabled for now if possible, its still unknown how this backdoor can be triggered or if there are other similar backdoors in the code base.
You can do this using iptables or if you’re on the cloud a security group.
If in doubt
If in doubt about any of the above or you’re not sure if this situation applies to you feel free to contact us at sales@appcentric.com.au.
