PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has “a backdoor”, but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (…)

  • Count Regal InkwellOP
    link
    fedilink
    English
    9
    edit-2
    8 months ago

    I was on EndeavourOS (Arch-derived), but switched to SUSE Tumbleweed like, this weekend.

    But hold up

    So if the backdoor is all about exploiting ssh to gain full system access, and ssh was never enabled in my OS I’m in the clear regardless?

    • @[email protected]
      link
      fedilink
      English
      88 months ago

      Just to be sure, you should check whether SSHD is enabled: sudo systemctl status sshd.service If you never enabled it and it’s disabled+inactive, then no need to reinstall Tumbleweed per the current guidance. Also you can double check your version of xz to make sure it’s downgraded, the downgraded version for Tumbleweed should look like this:

      sudo zypper search -vi xz
      Loading repository data...
      Reading installed packages...
      
      S  | Name | Type    | Version               | Arch   | Repository
      ---+------+---------+-----------------------+--------+------------------
      i+ | xz   | package | 5.6.1.revertto5.4-3.2 | x86_64 | update-tumbleweed
          name: xz
      
      • qaz
        link
        English
        18 months ago

        What if it was enabled but it was disabled in the firewall so it could only be used from the device itself?

    • @theit8514
      link
      English
      58 months ago

      While the full extent of the exploit is not fully known, it seems specifically targeted at the sshd binary on deb and rpm based systems. If you’ve got that service disabled it should not have been running actively on your system. You should still perform whatever is needed to downgrade, but I would say you’re in the clear.

        • @theit8514
          link
          English
          18 months ago

          Each distribution is different but Arch has stated that they did have the exploit artifact in their version of xz but the artifact was not loaded into memory with sshd as their process does not link sshd with liblzma library.

          More details below but highly recommend upgrade/downgrade anyways to remove the exploit code version.

          https://archlinux.org/news/the-xz-package-has-been-backdoored/