On Fri, 2024-04-05 at 20:47 +0200, Sirius: > > If there is a final result, can we as a project share the results on a > > prominent place? Or at least under d-devel-announce and/or d-security- > > announce? I was also wondering about what could have been compromised, > > what data might have been stolen, etc. And there is so many sources to > > follow right now. So sharing the final results would be great. > > If you have followed the discussion on Openwall ML, there have been a > couple of posts that points at both a general overview of what the code > did, an analysis of how the data was hidden in the 'corrupt' xz archive > under testing and some analysis of the actual .o which suggested this was > not just a backdoor but a remote-code-execution portal almost.
I've also tried to follow the various lists and RE efforts on discord. My understanding is, that this hasn't been completed, yet, and while people seem to *believe* that it looks like as if the backdoor didn't do anything else than just waiting for commands sent to an sshd (which might make all people safe, that haven't had sshd running or at least not publicly listening) - that's not yet 100% sure, or is it? And given how much effort these attackers spent in hiding the stuff, it doesn't seem impossible, that they hid even more. I'd think that most servers are safe, simply because they typically run stable. But I guess many people run their personal computers on some rolling/unstable release. So I fully agree with Daniel Leidert, that it would be really nice if there was - eventually, one the reverse engineering has been finished - some form of official confirmation, whether and when people that had the compromised xz-utils installed may fell 100% safe or possibly pwned. Especially: - whether any hidden calling home was found (so far not, but this may e.g. happen only under special conditions, like some matching host or user names), which would possibly compromise private keys, etc. - whether any commands could have automatically been pulled from remote - whether any attack vectors other than via sshd were found - whether some other forms of infestations (adding new user, keys to authorized_keys, etc.) was possible or whether all that can be ruled out for sure. And whether that has been confirmed for both versions of the maleware that were distributed. In short: - Can people that had it, but had no sshd running and/or had it only running behind some firewall/NAT/etc. feel 100% safe to be not further compromised? And while it wouldn't affect me personally, some have also asked whether: - They'd be safe it access to sshd was only restricted via hosts.allow/hosts.deny. Last but not least, it would be nice if Debian had some trustworthy experts which can actually confirm those findings. No offence meant against those people doing the reverse engineering, but in principle anyone on the internet could just claim anything and make people wrongly feel safe. Cheers, Chris.
