Impact of Supply Chain Attack On The Security Of SSH Server

At present, a dangerous security breach has come into existence. In reality, it has been recognized in the xz liblzma library of the compression utility. As an outcome, it disrupts the security of the SSH server across several Linux allocations.

Simply put, the XZ format is ever-present and also serves as a common-purpose tool. With the help of this tool, it becomes quite easy for users to compress as well as decompress big-sized files.

One of the interesting facts is that the backdoor was first identified in Debian sid installations. Later on, it was discovered back to the upstream xz repository. As a result, there was a great impact on the versions namely — 5.6.0 and 5.6.1 that were related to the xz package.

You might be surprised to know that one of the famous Microsoft developers named — Andres Freund realized an out-of-the-box system behavior. It involves — unnecessary CPU usage while logging into the SSH server. There were also observed Valgrind errors that were discovered in the backdoor.

After some time, we found the compromised code only in the distributed tarballs not in the upstream source. It demonstrates a planned and aimed attack on the supply chain.

The surprising fact is that Red Hat has supplied a crucial security alert. This alert was for the protection of Fedora 41 and Fedora Rawhide users. It acts as a piece of advice for users to stop using it. This is because it may cause a downgrading of the xz version.

In Fedora Linux 40 beta, you can easily find the impacted versions. These versions are — xz-libs-5.6.0–1.fc40.x86_64.rpm and xz-libs-5.6.0–2.fc40.x86_64.rpm. The saddest part is that nobody could detect the exploitation of the actual malware via relatives. stable release.

Later on, there was a big impact on the development distribution for building bright buildings. As soon as it is impacted, it is reverted to the Safe xz-5.4.x versions.

One of the most important things that is a must for you to be aware of is that the Red Hat community ecosystem is a famous distribution. Fedora 40 and Fedora Rawhide are also involved within their purview.

The injections have successfully formed in xz 5.6.x versions for Debian unstable (Sid). And on the other side, a few other distributions might be in the danger zone. It is noteworthy to be conscious that Red Hat has determined the issue namely — CVE-2024–3094. Since it is in the process of working on patches for protecting the affected systems.

It has come into consideration that Alex Matrosov tweeted regarding the flaws in the existing solutions. The thing to know is that these solutions lack transitive statically linked dependencies. This way, the chances of identifying such attacks are lower.

As a result, it brought modifications to the liblzma library. Later on, OpenSSH named software used to compromise the security and integrity of SSH servers. In the meantime, the functionality of the backdoor appears to be restricted to glibc-based systems. And the best part is that it was not possible for Linux distributions to compromise with xz versions. Keep this thing in mind the Linux distributions mostly appeared in pre-release versions.

The malicious code causes logins via SSH. This way, it became slower, and the code was invoked during a pubkey. Sometime later, it redirected RSA_public_decrypt to the backdoor code.

An exciting fact is that the backdoor came into existence in the upstream xz/liblzma library. Later on, it identifies a malicious code that leads to the compromise of the security of the SSH server. So, it is quite possible for a range of software to link this server without compromising the liblzma library.

SSH involves OpenSSH. One of the exclusive things about this server is that it makes use of the library for compression during SSH sessions. The best part is that the backdoor was expertly inserted into the xz/liblzma library. It enabled it to prevent identification during routine security audits. As an outcome, it becomes a specifically enigmatic risk.

The flaw comes into existence when the compromised version of xz/liblzma is utilized to compress or decompress files. Honestly speaking, it is truly a common operation in SSH communications. During this process, it is possible to trigger the backdoor. This is the way that allows attackers to execute oppressive code on the server. It is certain that it will probably allow access to the server illegally, execute commands, and more. This way, you can escalate privileges and acquire complete control over the system.

Backdoor was the one and the only, which was present in the distributed tarballs. However, it was not related to the upstream source code repository. In reality, it indicates a targeted attack on the supply chain.

It is quite possible to hide the malicious code through a series of complex obfuscations. In the meantime, liblzma makes it easy to extract a pre-designed object file from an unrecognizable test file in the source code.

Codenotary developed a detection script for the purpose of detecting the backdoor. Further, it motivated the system administrators to run it on their systems. The matter of joy is that the script checks or examines the liblzma library to know about the presence of the backdoor.

The main thing that you need to be aware of is the system is vulnerable. And it requires it to be updated promptly in case the backdoor code is found. In such circumstances, RedHat came ahead and reported a high-security alert for users of both Fedora Linux 40 and Fedora Rawhide. Simply saying, this alert is connected with significant security vulnerabilities. So, it is quite simple to know about the identification in these systems and the instant attention that is needed.

Instantaneous Alleviation Steps

Here are a few key steps that you need to follow if you want to mitigate the negative effects of the supply chain attack on SSH. Let’s check them.

1. Being a user you ought to minimize building xz-5.4.x as a precautionary measure.
2. Aware of the latest updates which can facilitate you to know about the circulation of this reversion.
3. Have an idea about the standard update system
4. Go through the instructions mentioned in the Fedora update portal
5. Accelerate the update process
6. Avoid operating a system within the affected distributions. Otherwise, you can pause the usage
7. Reduce your xz libraries to the securest version
8. Encourage users to monitor official channels related to the advanced advisories

Did you find this guide useful? Join our TTB Community on LinkedIn for more captivating blogs & the latest updates.