Mar 29 2024 - xz/liblzma potential compromise


Recommended Posts

Someone passed this around a discord that i'm in and figured i'd share here given Debian usage. It was posted today Date: Fri, 29 Mar 2024 08:51:26 -0700

https://www.openwall.com/lists/oss-security/2024/03/29/4

Excerpt: 

== Compromised Repository ==

The files containing the bulk of the exploit are in an obfuscated form in tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma committed upstream. They were initially added in https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
Note that the files were not even used for any "tests" in 5.6.0. Subsequently the injected code (more about that below) caused valgrind errors and crashes in some configurations, due the stack layout differing from what the backdoor was expecting. These issues were attempted to be worked around in 5.6.1:
https://github.com/tukaani-project/xz/commit/e5faaebbcf02ea880cfc56edc702d4f7298788ad https://github.com/tukaani-project/xz/commit/72d2933bfae514e0dbb123488e9f1eb7cf64175f
https://github.com/tukaani-project/xz/commit/82ecc538193b380a21622aea02b0ba078e7ade92

For which the exploit code was then adjusted: https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89

Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the "fixes" mentioned above. Florian Weimer first extracted the injected code in isolation, also attached, liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!

Link to comment
9 hours ago, RedCat-51 said:

xz --version

 

Unraid 6.12.9 is also unaffected with version 5.4.1.

 

Popular docker containers with 5.6(.1) I found:

- binhex/arch-prowlarr

- binhex/arch-sabnzbd

- binhex/arch-sonarr

 

It seems binhex/arch-radarr is unaffected with version 5.4.5.

  • Upvote 1
Link to comment

just a quick script you can run in your terminal to output containerIds and corresponding xz version. anything below 5.6.0 should be fine:


for containerId in $(docker ps -q); do echo $containerId && docker exec -it $containerId sh -c 'xz --version';  done

  • Like 1
  • Upvote 3
Link to comment
21 minutes ago, ChatNoir said:

There has been a bunch of binhex containers updated.

Have you checked before or after the updates ?

 

I checked again today after updating my binhex containers.

 

On 3/30/2024 at 12:45 PM, YoHoNoMo said:

 

Unraid 6.12.9 is also unaffected with version 5.4.1.

 

Popular docker containers with 5.6(.1) I found:

- binhex/arch-prowlarr

- binhex/arch-sabnzbd

- binhex/arch-sonarr

 

It seems binhex/arch-radarr is unaffected with version 5.4.5.

 Latest updates changed binhex/arch-radarr to version 5.6.1. It is now affected as well.

Link to comment
2 hours ago, YoHoNoMo said:

 

I checked again today after updating my binhex containers.

 

 Latest updates changed binhex/arch-radarr to version 5.6.1. It is now affected as well.


Curious if anyone has established which versions of various Binhex containers don't have the affected xz packages. In the meantime I plan to rollback to older versions of docker containers until xz has moved beyond this version or been removed from the affected packages.

Edit: I added a few of the binhex docker containers I found that shouldn't be vulnerable with this version of xz. Hope this helps!

sabnzbd 4.2.2-1-01
privoxyvpn 3.0.34-1-08
prowlarr 1.13.3.4273-1-01
plexpass 1.40.1.8227-1-01
 

Edited by MikeAH
Added Binhex versions I found without 5.6.*
Link to comment
13 minutes ago, dopeytree said:

Presume the / is messing up searching?

It does not find it within the thread even if there are plenty of standalone occurrences of it either.

Many search systems ignore search terms shorter than 3-4 chars.

Edited by Kilrah
Link to comment

Yeah. I went the extra step and converted to direct repository or linuxserver dockers.

I don’t recommend it if you don’t know how this all works (I don’t want to have to support people that lose their app configs) but if you do know how, take a look:

https://github.com/shanelord01/unraid_templates

Need to stop the current containers, copy the contents of the applicable appdata/binhex-xxxx folder to an appdata/xxxx folder, note down all of the settings from the binhex-xxxx docker (then remove the docker app) and start the new one (using the user template) with the same settings.


Sent from my iPhone using Tapatalk

Link to comment
1 hour ago, thatsthefrickenlightning said:

Thanks for taking the time to let us know. Would it be wise to stop binhex containers in the meantime?

This vulnerability is only "triggered" when connecting to an ssh server running on a system with the vulnerable lib. Most containers do not have an ssh server, and only in extremely rare cases you would know about (e.g. a git server container) would that ssh server actually be exposed for someone to connect to. So no. 

Edited by Kilrah
  • Upvote 3
Link to comment
On 4/2/2024 at 12:58 PM, zoggy said:

there is also this scanner: https://xz.fail/

info: https://www.bleepingcomputer.com/news/security/new-xz-backdoor-scanner-detects-implant-in-any-linux-binary/

 

for those that dont want to rely on running xz to check versions.

ldd /path/to/xz

then drop the liblzma.so* file into the scanner

 

What exactly am I suppose to drop in the scanner?  I don't see a *.elf file?

 

image.thumb.png.f7cfee35aaf00ed613f919bdc3be5bd6.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.