Crticial vulnerability affecting SSH (CVE-2024-3094)

avatar
(Edited)

image.png

A backdoor has been discovered affecting SSH server deployments. While most people this should not be an issue, and will only affect very bleeding edge installations, it is important to verify you are not vulnerable.

SSH Is the defacto standard for remote access on Linux and is commonly accepted as a safe port to leave exposed on servers hosted on the Internet. Although you should do so using SSH Keys and not just passwords.

The root of the problem (pun intended) is a backdoored library (XZ) that is used by SSH server. This vulnerability has been assigned CVE-2024-3094.

How to verify you are not running a backdoored version

Simply do sudo apt list --installed | grep xz

This should return a result like this:

xz-utils/pikauwu,now 5.4.1-0.2 amd64 [installed,automatic]

If you see version 5.6.x, you are running a vulnerable version of XZ and you should downgrade immediately to 5.4 or 5.5. Fedora just downgraded all their releases to 5.4 and most people will likely be running 5.4.

How to verify multiple machines

Here's a trick if you use ansible, you can check all Linux hosts in your inventory using the shell module.

ansible linux -m shell -a "apt list --installed | grep xz" -K

This will run an adhoc shell on all your linux machines in your inventory and will result in an output like this:

witness07 | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 amd64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness03 | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 amd64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
docka | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 arm64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness04 | CHANGED | rc=0 >>
xz-utils/jammy,jammy,now 5.2.5-2ubuntu1 amd64 [installed]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness06 | CHANGED | rc=0 >>
xz-utils/jammy,jammy,now 5.2.5-2ubuntu1 amd64 [installed]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Most witness nodes will likely be running 22.04 and will be using 5.2.5 of the XZ library and will be safe.

Although it is unlikely you will have a vulnerable machine, it is worth checking to be sure.

If you want more detail on the vulnerability, this video does a good job explaining it.

You can also read the original discovery of the vulnerability on openwall.

If you are not using ansible, maybe now is a good time to check it out.

I also recommend checking out this excellent breakdown of the events leading up to this vulnerability here.



0
0
0.000
12 comments
avatar

Thanks for the heads up. I'll be sure to check my servers.

0
0
0.000
avatar

That's incredible... and so important! Thanks for sharing!

0
0
0.000
avatar

Thanks, reblogged! Hopefully my server is still on the older version, I'll have to check.

This post has been manually curated by the VYB curation project

0
0
0.000
avatar

Is it something related to hive blockchain or hive users accounts security?

0
0
0.000
avatar

Not directly but most of the witnesses run Linux. Most shouldn't be affected, it's only if you are running really bleeding edge builds.

0
0
0.000
avatar

Thanks for the clarification, it means it's about witnesses not an average user like me, as a non technical person I need your help to understand it properly, thank you so much Sr.

0
0
0.000