diff options
| author | Xe Iaso <me@xeiaso.net> | 2024-03-29 13:37:24 -0400 |
|---|---|---|
| committer | Xe Iaso <me@xeiaso.net> | 2024-03-29 13:37:24 -0400 |
| commit | 7407750043976ef4bf2014f780ffe0b934df3ca4 (patch) | |
| tree | d5cef718be53dbf5151cfca41604ccaf8108c3c2 | |
| parent | 6d3e9592bba6ef316b3ad872263a96c0fe3474c4 (diff) | |
| download | xesite-7407750043976ef4bf2014f780ffe0b934df3ca4.tar.xz xesite-7407750043976ef4bf2014f780ffe0b934df3ca4.zip | |
notes: xz secvuln
Signed-off-by: Xe Iaso <me@xeiaso.net>
| -rw-r--r-- | lume/src/notes/2024/xz-vuln.mdx | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/lume/src/notes/2024/xz-vuln.mdx b/lume/src/notes/2024/xz-vuln.mdx new file mode 100644 index 0000000..3887874 --- /dev/null +++ b/lume/src/notes/2024/xz-vuln.mdx @@ -0,0 +1,69 @@ +--- +title: "liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise" +date: 2024-03-29 +hero: + ai: "Photo by Xe Iaso, EOS R10 with 135mm Super-Multi-Coated Takumar f/3.5" + file: xz-alert + prompt: "A stop sign on a blue sky with the words 'security alert' underneath it" +--- + +This is a new situation and we are still gathering information. Here is what we know so far: + +The [xz/liblzma project](https://github.com/tukaani-project/xz) has released versions 5.6.0 and 5.6.1. + +The combination of this and patches made by some distributions to the interactions between liblzma, libsystemd, and sshd have resulted in a situation where an attacker can compromise a system by sending a malicious payload to an sshd server. + +We are lucky. This only affects AMD64 Linux systems. The vulnerability is in a specific RSA function. The exploit is in the wild. This is also a very new version of xz/liblzma, so it is not widely deployed yet. This is also unlikely to affect anything other than Glibc (because of glibc IFUNC support), so if you use [musl](https://musl.libc.org/) or another libc implementation, you are likely safe. + +If you are using a distribution that has not yet released xz 5.6.0 or 5.6.1, you are likely safe. + +If you are running Debian sid, Fedora 41, or Fedora Rawhide, run updates now. + +Here are the distros where it is likely to be released (according to [repology](https://repology.org/project/xz/versions)): + +- Alpine Edge +- Arch +- Cygwin +- Exherbo +- Gentoo +- Homebrew +- KaOS +- MacPorts +- Manjaro Testing +- NixOS Unstable/nixpkgs unstable +- OpenIndiana +- OpenMamba +- OpenMandriva Rolling +- Parabola +- PCLinuxOS +- Pisi Linux +- pkgsrc current +- Ravenports +- Slackware current +- Solus +- Termux +- Wikidata + +If you are using one of these distributions, you should check to see if you are using xz version 5.6.0 or 5.6.1. If you are, you should downgrade to 5.4.6. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade. + +At this time, we believe that version 5.4.6 is not vulnerable to this exploit. If you are using a different version, you should check with your distribution's security mailing list to see if you are vulnerable. If you are not already subscribed to your distribution's security mailing list, you should do so now. + +Here is how you can tell if you're running the affected version: + +``` +xz --version +``` + +Here is what the output on the vulnerable version looks like: + +``` +$ xz --version +xz (XZ Utils) 5.6.1 +liblzma 5.6.1 +``` + +Stay tuned for more information. [Red Hat's security advisory](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users) may be helpful. + +--- + +Special thanks to titanous for pre-vetting this before it went live. |