Hey.
On Sun, 2024-03-31 at 01:46 +0000, Thorsten Glaser wrote: > Yes, a multi-team task force is working on it and will inform users > once it is known how to proceed, inclusing how much to throw away > and rebuild. Kindly wanted to ask whether anything has come out meanwhile of that? I've tried to follow quite extensively what the various reverse engineering efforts (e.g. [0], [1], [2], [3]) found out or what's revealed on index pages like [4] or [5]. It feels as if there are still many discussions about how to prevent such things in the future, but less so about the concrete fallout of the particular backdoor, where it seems most people were lead to conclude from media reports, that an attack was only possible if sshd was actually running an reachable. This may of course be true, which would mean that most people are actually safe and we had quite some luck this time: - servers, because they run stable distros that haven't had the backdoor - workstations/laptops, because they typically don't run a publicly listending sshd But there are still new findings about the backdoor every now and then, like that it may read/write on IPC sockets (contained in [2]) and I've read similar[6] without the restriction on IPC. Also I've seen some vague statements[7] that it might "install" public keys (didn't really grasp what was meant there - something like "in authorized_keys"). And one report[8] talked about it collecting usernames and IPs and passing the on to some function with unknown purpose. It also seems like these effort focus mostly on the 5.6.1 version and while it's said that the 5.6.0 version is quite similar, who knows the exact details!? In any case and (too) long story short: It would be nice to know whether there's still work done about finding out whether people who had the malicious code on their systems (in any version of the backdoor), but - had sshd not running at all and/or - it was not reachable from the internet can feel safe. Or whether it may be possible that: - the backdoor did call home (loaded commands from there, leaked private keys or so from the system) - used completely different vectors not involving sshd - or somehow else infested the system Right now people might still have backups to torch their possibly compromised systems and start over from a safe sate. So Thorsten, in case you or someone else is aware of any [intermediate] results from these task forces ([9[) it would be nice to hear about them or better even in form of some "official" statement from Debian. Thanks, Chris. [0] https://discord.gg/u6MzmQm5 [1] https://github.com/smx-smx/xzre [2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor [3] https://securelist.com/xz-backdoor-story-part-1/112354/ [4] https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 [5] https://github.com/przemoc/xz-backdoor-links https://przemoc.github.io/xz-backdoor-links/ (rendering of that) [6] https://discord.com/channels/1223666474091020432/1223666474972090430/1230974749522530304 [7] https://discord.com/channels/1223666474091020432/1223666474972090430/1230173131746840606 [8] https://isc.sans.edu/diary/30802 [9] E.g. on d-d https://lists.debian.org/debian-devel/2024/03/msg00338.html Moritz Mühlenhoff has mentioned that some company was working on it and results were expected in some time.
