Malicious Backdoor Found in Linux
HTML-код
- Опубликовано: 20 авг 2024
- Malicious Backdoor Found in Linux
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
thehackernews....
en.wikipedia.o...
nvd.nist.gov/v...
www.openwall.c...
🔔 SUBSCRIBE for more:
www.youtube.co...
------------------------------------------------------------------------------------------
🛍 Support me with your Amazon purchases:
UK amzn.to/3diZslY
US amzn.to/2OwZWux
Please note that as an Amazon Associate I earn a commission from any qualifying purchases that you may make through these links.
------------------------------------------------------------------------------------------
❤️ Join Britec RUclips Members:
/ @britec09
------------------------------------------------------------------------------------------
📃Watch related playlists and videos
🖥️ / britec09
------------------------------------------------------------------------------------------
👕Check out our merch:
teespring.com/...
------------------------------------------------------------------------------------------
💻Discord Access:
/ discord
------------------------------------------------------------------------------------------
🐦Follow and interact with me on Twitter:
/ britec09
------------------------------------------------------------------------------------------
✅Follow and interact with me on Facebook:
/ briteccomputers
-----------------------------------------------------------------------------------------
🎬 View my Website:
BritecComputers...
-----------------------------------------------------------------------------------------
A patch has been released to mitigate this issue 🎉 It was made available 31 March 2024
goes to show how vulnerable Linux is, just like Windows.
Was it available in updates for linux mint and how is it called?
@@Britec09 Goes for all OSes. However, I still think is Windows is more vulnerable, if only because it is more ubiquitous. Always update your OS, whatever it is.
Almost for every linux distributive you have two way of updates - stable and unstable. This is actually true for many program. You have two option, first older but more stable, and second the newer, but potentially unstable, sometimes called experimental.
Windows doesn't have this option. you can only choose apply updates immediately or with some delay when you might get patch of the patch.
Updating Windows is important, but staying at the frontier might bring some additional problems/instabilities
@@Britec09 I think that's a bit of a stretch.
Thank you, Brian!
I run MX linux so I needed to hear about this.
Fortunately MX is Debian-based & Debian fixed this some time ago in a previous version.
What's crazy is that the malicious dev wanted this version in Debian and Fedora!
People are missing the point. The malicious code was found, BECAUSE it was open source. If you buy a license on a binary-only software release, be it an application or operating system, then it is basically a matter of blind faith, moderated by the fact that the software developers have a reputation to detect.
And sure, you can use computer forensics to detect malicious code execution. Does that compression utility really need an internet connection and port open? That kind of thing. But having the source code helps, because it can point you to other problems. "Daylight is the best disinfectant" as the saying goes.
And sure, because it is open source, a malicious agent can compile some stuff and put it on the internet. There is no perfect solution.
But if open source was patronized by many more users, there is security in numbers. You can make almost any program or utility to do bad things. Is a utility that wipes a disk a useful one, or malware? The answer is the "use-case". If you delete people's files [without permission], or steal data, they are crimes.
Apparently it got noticed early, while the new maintainer who was fiddling with xz was still trying to perfect his mischief. So his version hadn't had time to get incorporated into the stable distros that I use. And the one Arch-based rolling distro that I use had already removed the bad version by the time that I checked.
"Your mileage may vary" of course, but the linux community seems to have gotten lucky in this instance.
very lucky. Like i have always said, no os is immune to this type of thing
@@Britec09I would hope the culprit is traceable from the time the code got changed. There are many fingers involved, but I’m sure it’s going to point one direction and it be espionage or it’ll be a bribe because money talks.
At least it has been found and is being delbt with :)
Regardless of the OS I am happy to see when devs work together and fix major issues
I agree
Yeah, this is why we have testing and beta versions of software and distro's. It got caught early, it got booted early. Moving on, nothing to see here. The power of open source. ( technically it was a backdoor in GNU core utils not Linux. ) Screwed my weekend, that much I can tell you, checking Azure deployments, no compromises found. The community got a bit hysterical over that one.
I think we need to make people aware that this is no ordinary backdooring; it was allegedly done via reasonably well organised social engineering over the course of 2-3 years, possibly by organisational or state sponsored threat actors. It's not something done due to poorly written code that has been exploited - we're potentially talking about abuse of trust and deception.
We also need to accept that such things could have happened at big tech corporations, such as Microsoft, where a bad actor manages to evade detection whilst being an employee at said corporation. However, I think the difference would be that closed-source software organisations would be able to (and probably do) suppress such incidents, whereas open-source software is considerably more transparent - again, there are pros and cons to both approaches.
Finally, I think this is a big wake-up call to open source projects, and proves trust can be easily misplaced, especially when the main project maintainer is suffering with burn-out and mental health issues. I think we need to show contempt for the con men and compassion for the conned, particularly when it is people's generosity, passion and dedication being exploited instead of greedy corporate shareholders and top-level executives.
So you're saying it's ok because such things could have happened at big tech corporations, such as Microsoft, but we don't know about it? I don't use Linux because of exactly this. No strict control on what code is allowed to be distributed.
@@georgeburns5811 At which point did I say it was okay? Also, there are lots of open source projects that have very strict controls on code, including the Linux kernel itself. How do you know Microsoft has strict controls on their code? Have you seen the blunders they've made, especially in recent years?
Unfortunately, I think you've misunderstood my point in that this backdoored package was due to social engineering by a bad actor who gained the trust of a burnt-out project maintainer, from what has been ascertained, and this could in theory happen at a company such as Microsoft. Open source code, and the development process, is transparent even if it's not always obvious when code is deliberately obfuscated to avoid detection. I appreciate that Linux isn't for you, and that's cool, but I think your opinion that Linux doesn't have strict controls on code that is distributed is not strictly true.
Oh, and by the way, I used to be a big Microsoft fanboy (something some my friends used to say to me many times), from the days of MS-DOS 3.2 and Windows 3.1, all the way up to Windows 10 when I *finally* got fed up of tolerating the frustrating and productivity-killing Windows Update process, the increasingly pushy ‘sales pitch’ and persistence of Microsoft services from within the Windows operating system itself, and the growing disrespect for the user's choices - if my default web browser is Google Chrome or Mozilla Firefox, then Microsoft Edge should *never* open unless I deliberately chose to open it.
And that, my friend, is why I ditched Microsoft Windows 👍
Yes I heard about that also and from what I read it only effects the rolling and testing versions. Not Debian stable or Ubuntu LTS. Though Debian say on their website that they have now patched their testing versions because of this. On Windows we just scan with anti-virus software. Maybe we should do the same thing on Linux. There is also anti-virus software as well as Firewalls for Linux we could use.
linux protection is based almost solely on minimal privilege principle. Any kind of vulnerability becomes quickly patched. The linux antivirus does exist, but its purpose is to disable windows viruses.
Windows products also have similar security packages, some of them are part of Windows OS. The problem of classical antiviruses is that they are based on reactive mechanics, which proved its limited efficiency long time ago.
Any good modern antivirus is in fact a big pile of different defense utilities, which include now cloud detection, sandboxing and many more, including other proactive defenses
@@user-od4gs3iu4t There is an anti virus for Linux. It's called ClamAV I think. I have seen it in Synaptic Package Manager. There may be others as well. I though that anti-virus does scan for viruses and malware and removes it. At least that's what the ones on Windows do. truth be told I never used any anti virus software when I was on Windows. There was Windows Defender on Windows Vista and 7. Which later on was Microsoft Security Essentials on Windows 8 but still called Windows Defender. There was also Windows Firewall which Microsoft started putting on Windows XP and ever version after that. Maybe that's what we have to do on Linux. Start using an anti virus software and install a firewall. Though I am using Linux now and I don't have either. But if things like this are going to happen we may have to start using anti virus protection and a firewall. I don't know because I have only just started using Linux two years ago. Before that I was using Windows. Noew I use Linux full time but I don't know enough about how you protect your computer from malware. On Windows we just use firewalls and anti virus software.
@@AndreaBorman if you use your linux PC as an workstation or desktop (not a server), I can highly recommend utility called Portmaster. It's a FOSS. You can of course make some basic configuration for your ufw or any other firewall included in you distributive, but to my mind it's mostly for server OS.
linux just don't need any AV. ClamAV + ClamTK is a good pack to scan PC if it's used as a file server, or mail server, or you somehow work with windows files. It then helps to defend Windows from some viruses/malware. But this is not a full replacement for a good Windows antivirus. I think even MS defender is better than ClamAV
Privacy is a lie...
so is security
Yeah ... But i think the real security is stay off from the internet....
Good find Brian!
Thanks 👍
Pretty much no OS is 100% safe, be it Windows, MacOS or Linux.
except for Windows 7..never had a problem with it
I never had problems with WinXP, but it doesn't mean it's a safe stable system.
Neither had I problems with Win 3.1. Cause I never used it hoho
I will still use linux over windows.
Debian Linux is totally safe
@@1pcfredQubes is pretty good too. A pain to use, but chose only one: convenience or security.
Great find Brian. Shows that Linux is not perfect lol. Keep up the good work.
yeah. nothing is perfect, except for this channel )
You got that right!
I am 100% sure that Msoft and the establishment had absolutely nothing to do with this attack on Linux
I'm sure they didn't either because they are on the Linux board of directors so it wouldn't make sense for them to attack something they are invested in!
It was an MS employee who found the malicious code version.
Look toward the Ivan’s or chicoms.
Actually it was a Microsoft dev who found it because his ssh speed was really slow, he basically stumbled on it because it wasn't fast enough 😂
doesn't change hat it's a Linux vulnerablity. microsoft is not the developer of Linux so therefore the vulnerability lies squarely on Linux shoulders.@@jackkraken3888
Seems like it only affected bleeding edge releases
My version of xz is 5.2.5.
No matter how secure an OS, be Linux , MAC OS or Windows maybe thought to be, unfortunately its like a lock and if a thief really wants access they will find a way in, sorry its a fact of life for us all , thanks for bringing it to attention!
You're welcome
Thanks for the heads up mate.
No worries
If I didn't know otherwise & keep my eyes, ears to the ground I'd have thought this was a April fools joke 🫵👍
Great. Watching this on my Linux Mint PC. Is there any way to determine if this program is in my OS? Thanks for the video.
xz -V
@@user-od4gs3iu4t Yeah, not the best idea. Don't run a program to see what the version is when you know it might be comprised.
@@notjustforhackers4252 it's true for a program with unknown origin, like some shady exe file in windows. XZ however is not a virus, it was corrupted to get a backdoor under some conditions. Getting version of your XZ wasn't so far reported to be a malicious act
aptitude show xz-utils or how I found it which was $ dpkg -l | grep -i xz
indeed, if that looks scary you can scan your installed packages with suitable command,
eg like
$ dpkg-query -W | grep xz
Question:Which linux was backdoor=ubuntu or kalinux?
Yes Brian this is just the tip of some floating iceberg of viruses for not only for Windows which we know is the OS we think of as your average OS user's choice and sadly now Linux. I guess as you say any OS is vulnerable simply because one doesn't have to be a rocket scientist to work out the way that any OS system and programming is made up is susceptible to anyone who is programming savvy who can just work out/manipulate the codes needed to infect any programs made by any other person.
The Concern is Far more in Windows OS nowadays than Linux or Mac OS. Nothing is perfect; however Windows is the least Secure of the three. And that's a fact.
Latest Raspberry Pi OS includes XZ Utils 5.4.1 so is not impacted.
I have 0 idea of what Linux is....
It's an operating system like windows and MacOS and it's very common in the server world especially Web severs that run websites. Android for android phones is a Linux variation.
i wonder if this also affect steam os distros ?
What about other unix-like operating systems?
not likely. Reported so far only the most recent xz versions
Good to know, but I'll take my chances.
MacOS is still the most secure OS and Apple patches security holes faster than any vendor on the market
I have to agree, but along with that you get more, but you pay more
Nah, Android and iOS (as long as OEMs, and Google/Apple don't add their root-level proprietary services such as Google Play Services or telemetry or bloatwares), they are actually more secure than desktop OSes due to high level of virtualization and sandboxing. Windows' security practices many of them I considered mong the most stupid, while Linux community haven't done as much to integrate security to the commonly used distros. And even then both Android and iOS security can be easily compromised due to social engineering, scam apps, software vulnerabilities,... as well; and both Google and Apple's telemetry and other services running too high privileges also compromise their security partly
Also MacOS is closed source, only Apple knows all their vulnerabilities and you never know if they actually found or fixed them or not. They may lie to you lmao
@@nk-randomcommenter3881absolutely true. They may even be fully controlled by government. All these news articles about Apple confronting three letter agencies may be an obfuscation operation. We can never proof or disproof cause nobody has an access to the code. Only Assange or Snowden may someday inform us about the real deal
is the XZ Utils library automatically installed by any distros?
Yes it is. The four distros I checked yesterday (three Debian-based distros, and one Arch-based) all had it in the installed list. Makes sense, as a utility that other programs would call to handle file compression/decompression.
yes
@@Gnabbist thank you
$ aptitude why xz-utils
i dpkg-dev Depends xz-utils
..in inux, in fedora, in PFSense, etc,,...etc...
I have version 5.2.5-2.1~deb11u1 so I'm safe.
Is XZ part of every Linux distro or a separate software program? I do not find this in the links.
every distro as far as I know
interesing
Clickbait, not Linux, it's XZ.
get over it
No operating system is safe from attacks
I agree
That's not true though. Tails and Qubes is really safe from attacks, since it doesn't affect the OS.
Sadly that's true. Apple recently found out there's a security compromise that is hardware based & affects it's entire line of M1-M3 processors- & worse it can't be patched out by software, because it's a physical hardware issue. Like what happened with the cellular radio 's used in the 2018-2022 versions of Samsung's phones. Good news is, it would require some extra steps & system access work to actually make it useful for someone to genuinely attempt a hack with it.
Whoever smelt it dealt it lol
You sure it’s not an April fools joke????
nope
The only affected versions of "xz" are 5.6.0 and 5.6.1.
UBUNTU and its derivatives are still on 5.2.5... so are SAFE... as far as we know.
ARCH and KALI, for example, which are rolling distros and always have the most updated versions of the software... are now COMPROMISED with either 5.6.0 or 5.6.1.
Windows darling....my sweet darling Windows hallowed be thy name.
Keep up the great work
Thanks, will do!
A take on Linux a lot of people don't realize, is that because it is built on 'open source' GNU licensing, it gives developers layers of protection against liability for the most part. This means practically that because Windows is proprietary, as an example, they get sued if they don't seek out and fix problems as fast as possible, which incentivizes them to solve problems, whereas in Linux problems can go undetected for years and when they are found no one is 'responsible' and problems can linger for a long time even after they are discovered. This is because there is no sense of urgency on most things in Linux outside of the work on the kernel and on distros like Red Hat which is a commercial Enterprise Level product with ironically the same financial incentives as Microsoft.
incorrect. if a problem is found in Linux then it is the fault of the person who created the disto. Microsoft didn't create it so they didn't put the vulnerability there, you didn't do it an i didn't do it so it be only the fault of the creator/developer that made the distro!
No one should be allowed to use internet.
You're late to the party.
Not really
After looking at the "Hacker News" article my guess (and it is only a guess) is that as Debian stable has not been compromised most dsitro's have yet to be compromised? Correct me please if my intuition/guesswork is in error.
Waiting for this security oversight to be blown out of of all proportion by the M$ "community"!
what's M$ community got to do with it? nothing. This is a Linux problem.
Your intuition/guesswork seems sound. The Arch article (google for Arch news xz) lists the affected versions of the xz package, and my Debian-based distros all have significantly earlier versions (i.e., not yet affected.)
oh you mean like the way Linux users blow every windows issue out of proportion.
Absolutely nothing!@@Britec09
@@Britec09 All communities M$ and Linux, have their "Fan Boys" who are ready to trumpet the other sides "failures".
Hmmm , 1 april... or..
Or. Is an old notice.
nope, not a joke. Some systems, mostly unstable the most recent versions are vulnerable
🫢👍
And people say Linux is safe. BS.🤔🤣
Open source means hackers can see the code
@Britec09 Yeah, but so can white hats too. Open source is both a strength and a weakness. Closed source code has its pros and cons too, to be fair.
the modern internet works thanks to the open source products. The viruses and significant part of malware is due to poorly written closed course code
I have run Linux on a virtual machine for quite a while. Four days ago, a boot failure occurred when I tried to start up Linux. The reason for it is still unknown up until now. It was quite possible that my Linux system was hacked or attacked. I had to re-install it. Fortunately, Linux isn't my host operating system. Just don't tell people that Linux itself is the embodiment of security and stability anymore.
Virtual machine software was probably the problem. Wouldn't worry about it.
What kind of a coded by clownz OS are you running that a virtual instance being hosted can bring down the system?
@@1pcfred I'm not sure that the virtual machine is to blame or should be responsible for the sudden occurrence of boot failure. I use VirtualBox. The Linux distro on my virtual machine is Linux Mint 21.3. Like I said, a hack or an attack was suspected of causing boot failure. Everything just went fine as usual. A couple of hours later, when I restarted Linux, I encountered boot failure.
let me guess. The host system is Windows
@@user-od4gs3iu4t Sure. Windows 11. What? Let me guess. You're saying that Microsoft Windows crashes Linux through a virtual machine?
Oh, what happened, the Linux fanboys kept saying Linux is virus-proof?
It’s still better than windows 😂😂😂
"What happened" was recounted by Brodie Robertson in an entertaining video (as is typical for his videos) over the weekend. A bad actor worked his way into being the de facto co-maintainer for xz, and then started Fiddling About with the source code.
It's not a competition why do you feel the need to make it in to one. Linux and windows serve totally different purposes. @@MrRom079
may be. But most people I guess are users or power users )
And this is about every OS, including linux
@@MrRom079 How so?
There are probably more security issues with Linux as well, the only reason they do not show up often is because of the low user base that does not make it worthwhile for the scammers and hackers looking for it. The devs probably do not look too hard either because they are so sure it is secure. Doubt any OS is safe if looked at hard enough.
This was a bad vulnerability
The website you're using now runs on Linux. Most of the Internet runs on Linux. But don't worry about the security. Because no one uses that stuff. Your router runs Linux. Yo momma running Linux too boi!
@@1pcfred well done for using non standard and highly customised specialist versions of Linux as examples, thaey have nothing to do with the versions of Linux used for personal computing. you make yourself look about as clever as a Muppet.
I think my router runs BSD, but that doesn't really matter
@@ShadowzGSD they use the same upstream sources for software as everyone else does. Distros also patch the source of the packages they ship too. So there's no such thing as "standard Linux".
Get ready Ben here comes the onslaught of excuses of how it is some how microsofts fault.
I love all of my Microsoft software I have installed in Linux.
$ dpkg -l | grep -i microsoft | wc -l
17