secret backdoor found in open source software (xz situation breakdown)

preview_player
Показать описание
Backdoor found in xz liblzma specifically targets the RSA implementation of OpenSSH. Story still developing.

🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒

🔥🔥🔥 SOCIALS 🔥🔥🔥
  1. Low Level Learning
  2. apple
  3. apple m1
  4. m1 bug
  5. cpu bug
  6. hackers
Рекомендации по теме
secret backdoor found 0:08:28

secret backdoor found in open source software (xz situation breakdown)

Malicious Backdoor Found 0:03:46

Malicious Backdoor Found in Linux

FOUND Secret (-00 0:02:30

FOUND Secret (-00 Door) in The Backdoor - Doors Roblox The Hunt Update

Understanding the Linux 0:10:07

Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]

Linux got wrecked 0:04:32

Linux got wrecked by backdoor attack

The XZ Backdoor 0:11:55

The XZ Backdoor Almost Compromised Every Linux System

Man finds hidden 0:02:48

Man finds hidden TWRA camera on his property

We Found A 0:10:11

We Found A Backdoor In Our Home Network?! Routersploit Tutorial

Secret Backdoor to 0:01:01

Secret Backdoor to The Deep FO76 ( Tips and Secrets ) Fallout 76

Roblox DOORS Secretly 0:09:19

Roblox DOORS Secretly UPDATED The BACKDOOR FLOOR 0...

Backdoor Secret??? #fyp 0:00:16

Backdoor Secret??? #fyp #viral #roblox #edit #robloxdoors

DOORS HOTEL IN 0:00:17

DOORS HOTEL IN BACKDOOR!? #fyp #viral #roblox #edit #robloxdoors

I Entered The 0:03:00

I Entered The Hive's secret Backdoor 🧐

I Uncovered THE 0:13:23

I Uncovered THE SECRETS to The BACKDOOR in Roblox DOORS...

I found a 0:00:42

I found a secret backdoor. it Will shocked 😱😱😱

Terrifying Video Shows 0:01:17

Terrifying Video Shows Suspects Kicking Door Down Where Woman Was Hiding

How to know 0:10:19

How to know if your PC is hacked? Suspicious Network Activity 101

Hidden Codes, High 0:13:24

Hidden Codes, High Stakes: XZ Backdoor & Lessons for Next-Generation Software Safety

Roblox DOORS Updated 0:09:09

Roblox DOORS Updated THE BACKDOOR... AGAIN...

Watch these hackers 0:05:42

Watch these hackers crack an ATM in seconds

'I Show You 0:08:30

'I Show You What to Remove from Your Phone Before Using It' Edward Snowden

There Might Be 0:29:32

There Might Be a Hidden Backdoor in Your Computer

They Found The 0:09:33

They Found The iPhone Backdoor

how Hackers Remotely 0:07:07

how Hackers Remotely Control Any phone!? check if your phone is already hacked now!

Комментарии
Автор

The guy who found this has just been elevated from "just a guy" to "security researcher" by action alone

AlexBrugh
Автор

Kudos to this „just a guy“ who probably just wanted to help out an open source project in fixing a memory leak and performance issue and then probably spent weeks of his time getting to the bottom of this.
This is what makes all of us safer. He deserves a medal or something.

Krmpfpks
Автор

As horrifying as such backdoors in widely used software is, the engineering behind such exploits is insanely impressive and creative

kim
Автор

Important Clarification (since I feel this isn't clarified): upstream OpenSSH doesn't use liblzma, however many distros like Debian patch OpenSSH to use SystemD Notifications through libsystemd, which in turn uses liblzma. Distros like Arch (which don't patch OpenSSH) or distros without SystemD like Void should be fine with regards to SSH (however most distros are already downgrading xz anyway for obvious security reasons)

Source: the latest Arch News post regarding this backdoor

EDIT: to quote directly from the Arch news post:
"Arch does not directly link openssh to liblzma, and thus this attack vector is not possible"

standingpad
Автор

I can already read online people saying that this is proof that open source code is less secure than proprietary
On the contrary, the fact that it was caught, and caught relatively quickly, shows that open source is more secure against these kinds of backdoor attacks

aeedi
Автор

damn, NSA taking a bunch of loses recently

bjduncc
Автор

It's not just SSH. The dev seems to be suspect in way more packages.

CCCW
Автор

as a sidenote from what I gathered: The person who "contributed" this backdoor was not just some person who randomly came out of nowhere with a Merge Request. It was someone who contributed to the project for an extended period of time to a point where they themselves became a maintainer (not the main one, but projects like this often have multiple).

kuhluhOG
Автор

Idk if I would call Andres Freund “some guy” haha he’s a Postgres contributor/developer and Principle SWE at Microsoft. I get your point though. Not technically a security researcher.

swannie
Автор

How many more security issues are going to be found this week?!

Airatgl
Автор

This channel is great for my daily dose of anxiety

Neuranet
Автор

1:12 "He's not a security researcher, he's not a malware reverse engineer, he is just a Freund."

basicallyeveryone
Автор

Bullet dodged. For real. This could have been the worst money grab backdoor by far. It's literally in every system. It's especially scary that the project owners approved the compiled binaries. Hopefully it's not a maintainer behind this.

daniels-mool
Автор

After this report there were some extra findings that people might feel valuable.

1. Some time ago the only mantainer got a lot of pressure from different users to accept another mantainer to the project.

2. The binary files in question were compressed files that are usually made to test that the decompressing tool was working, in this case the malicious tests were two, one for a large file, and another for a corrupted file. As you can see both made for making it difficult to find that there was hidden code there.

3. The malicious mantainer got enough trust to be able to sign the distributed tars with malicious code and to contact linux distro mantainers to presure them to update to the backdoored version, the attacker even sent a patch to the google repo that was harmless by itself but a requirement for the exploit.

4. After the backdoor was created random accounts submitted prs to
different projects to update to the vulnerable version.

This was a large well orquestated attack that was most likely planned by more than one person and only discovered due to it having performance problems and certain bugs, otherwise we might have never noticed.

jimmykochi
Автор

Kudos to the person who found this. His modesty does him credit, but the realization that something was amiss, the desire to delve into it, the analytical process, depth of research, and the willingness to share what he discovered with the wider community - totally aligned with the OSS ethos - shows he definitely has the right mindset to be a security researcher and has hit the ground running. Hats off, sir; bravo!

laurensdehaan
Автор

Andres Freund, who found and reported this, should be called "The XZorcist".

Cobinja
Автор

Apologies if I missed it, but it should be clarified that this did not make it into any production releases. The fact that it was caught before release is a demonstration of the strength of the open source model.

plateoshrimp
Автор

Crazy to think the test can change the build. This should be clearly separated.

cherubinth
Автор

It is slightly more subtle, from what I understand. It is not that openssh uses liblzma, but liblzma is used in systemd. On systems where openssh is patched to use systemd as well, you end up with a security issue. This appears to be limited to the combination of x86_64 and linux and systemd. That is still a significant fraction of all linux systems.

mrtnsnp
Автор

That is definitely one of the most crazy, complex, and sophisticated backdoor injection attempts I ever seen in my life. The engineering behind it is very impressive. The guy who discovered that deserves a reward, he just literally saved the world

ivanov