[cfarm-users] CVE-2024-3094 (compromised xz-utils / liblzma)
Jing Luo
jing at jing.rocks
Sat Mar 30 12:47:21 CET 2024
On 2024-03-30 18:49, Baptiste Jonglez via cfarm-users wrote:
> Hello,
>
> As you probably have heard, a seriously compromised version of xz-utils
> and liblzma successfully made its way into Debian unstable and testing:
>
> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> According to our investigation, only a single machine of the cfarm has
> been using the compromised packages: cfarm421.
>
> As a remediation, we have updated the xz-utils packages on Fri Mar 29
> 17:23 UTC and rebooted the host.
>
> Nobody seems to know yet what the malicious payload was doing exactly,
> except that it targeted sshd. If the malicious payload was allowing a
> specific SSH key from an attacker, it would have been hard to exploit
> because of the custom SSH port on cfarm421 and the relatively short
> timespan for exploitation (from 2024-03-18 to 2024-03-29). We have
> found
> no trace indicating that the system has been compromised.
>
> If you have been connecting over SSH to cfarm421 since it was made
> available on the farm, you should be aware that you have connected to a
> sshd daemon that was running a malicious payload. We should hopefully
> learn in the coming days whether this is a serious problem or not.
>
> Regards,
> Baptiste, for the cfarm admin team
>
> _______________________________________________
> cfarm-users mailing list
> cfarm-users at lists.tetaneutral.net
> https://lists.tetaneutral.net/listinfo/cfarm-users
Unfortunately cfarm420 was also affected, as I found out. cfarm420 is
running Arch Linux. As an emergency remediation, the package "xz" was
upgraded to 5.6.1-2 at 2024-03-30T01:34:39+0000. No one was logged in at
that time. No trace of compromise is found so far in journald. During
which I also found that cfarm420 wasn't very popular anyway judging by
the number of ssh login attempts...
https://archlinux.org/news/the-xz-package-has-been-backdoored/
https://lists.archlinux.org/archives/list/arch-announce@lists.archlinux.org/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/
Other packages were also upgraded in the process, notably "curl"
(8.7.1-3), "linux" and "linux-headers" (6.8.2.arch2-1). A reboot was
done afterwards.
Let's hope this compromise doesn't turn out to be a serious issue in the
end. Among the 3 hosts I maintain, cfarm421 is the most popular,
followed by cfarm420 and cfarm422. Note that despite the "official"
custom SSH ports (2242x) are announced on the machine list, it is still
possible to connect to these 3 hosts using the standard SSH port 22 over
IPv6 only. This has been undocumented.
--
Jing Luo
About me: https://jing.rocks/about/
PGP Fingerprint: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20240330/268a719c/attachment.sig>
More information about the cfarm-users
mailing list