For the uninitiated, a major compromise has been discovered in liblzma, where an apparent backdoor has been inserted that breaks ssh-rsa authentication in sshd. The backdoor is intentionally convoluted, but the upshot is that if SSHD loads liblzma as a dynamic library, its own RSA authentication functions get patched for Bad Ones.
Raspberry Pi OS packages (and in general Raspberry Pi) are unaffected because
- The compromised code is not in the upstream Debian Bookworm release
- The exploit explicitly checks for x86_64 arch on the target system
This doesn't exclude other third-party packages that may rely on compromised versions of liblzma.
This is a "software supply chain" attack that was very close to going undiscovered, and making it into major operating system components. The cleanup is ongoing - this is one of the areas in which the OSS claim "many eyes make bugs (exploits) shallow" gets wound up to 11 and given nitrous injection.
Further reading (from links not on random pseudosocial media threads):
https://www.openwall.com/lists/oss-secu ... 24/03/29/4
https://gynvael.coldwind.pl/?lang=en&id=782
PoC:
https://gist.github.com/keeganryan/a6c2 ... 6dfdf95ae4
Raspberry Pi OS packages (and in general Raspberry Pi) are unaffected because
- The compromised code is not in the upstream Debian Bookworm release
- The exploit explicitly checks for x86_64 arch on the target system
This doesn't exclude other third-party packages that may rely on compromised versions of liblzma.
This is a "software supply chain" attack that was very close to going undiscovered, and making it into major operating system components. The cleanup is ongoing - this is one of the areas in which the OSS claim "many eyes make bugs (exploits) shallow" gets wound up to 11 and given nitrous injection.
Further reading (from links not on random pseudosocial media threads):
https://www.openwall.com/lists/oss-secu ... 24/03/29/4
https://gynvael.coldwind.pl/?lang=en&id=782
PoC:
https://gist.github.com/keeganryan/a6c2 ... 6dfdf95ae4
Statistics: Posted by jdb — Sat Mar 30, 2024 9:39 pm