PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2024-08-22T20:59:00+00:00

SE Radio 630: Luis Rodríguez on the SSH Backdoor Attack

Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of "Jia Tan," the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community. Brought to you by IEEE Computer Society and IEEE Software magazine.

Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of “Jia Tan,” the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community. Brought to you by IEEE Computer Society and IEEE Software magazine.

Show Notes

Related Episodes

  • SE Radio 606: Charlie Jones on Third-Party Software Supply Chain Risks
  • SE Radio 541: Jordan Harband and Donald Fischer on Securing the Supply Chain
  • SE Radio 587: M. Scott Ford on Managing Dependency Freshness

Other References

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.

Robert Blumen 00:00:19 For Software Engineering Radio. This is Robert Blumen. Today I’m joined by Luis Rodriguez. Luis is the CTO of Xygeni, where he focuses on supply chain security. Prior to Xygeni, he held management positions and consultant roles at Argento and other software companies. Luis, welcome to Software Engineering Radio.

Luis RodrÌguez 00:00:43 Hi, I appreciate the opportunity to talk in this podcast.

Robert Blumen 00:00:47 Would you like to say anything about your background that I didn’t mention?

Luis RodrÌguez 00:00:50 I have worked mainly in the application security space for some 15-20 years, more or less, mainly on the vendor side. I was interested in application security and cyber security in general. And I work in later projects in the static analysis for vulnerabilities for application security vulnerabilities. Also in the SCA space, detecting vulnerabilities on dependencies on third party dependencies. I felt a bit guilty on producing a lot of noise, a lot of vulnerabilities. And in fact, the new project, which is Xygeni, which I started as a co-founder intending to correct that problem to give a better approach to managing the vulnerabilities and also the malware because not only the passive security problems, but also the active ones, the issues that third party bad actors are injecting in the supply chain. This is, we are focused on that right now.

Robert Blumen 00:01:55 Supply chain security has been in the news a lot. We have covered it on Software Engineering Radio a few times. Episode 535 on Supply Chain Attacks, 541 on Securing Open-source Supply Chains and 606 on Third Party Supply Chain Risks. Today we will be talking about a celebrated, or maybe I should say, infamous supply chain attack on the SSH daemon through a package called XZ. This attack has been widely reported in the media, and I follow this to some extent, although I wouldn’t call myself a security researcher. I didn’t feel that the media really dived very deeply in depth into this, and hopefully we will be doing that today. I want to start out with, we will cover what has already been reported on us. Could you give a summary of the attack and then we’ll delve more into details.

Luis RodrÌguez 00:02:55 Sure. Basically, a malicious actor created a command execution backdoor in a popular Linux compression library, LCMA XZ for short, resulting in a backdoor in another popular remote access system, which is open SSH. This was an advanced server supply chain attack with obfuscation hiding this behavior from reviewers. It was detected on March 28th this year, just one month after it was injected, and it was quickly contained, so it did not enter stable distributions, which fortunately is a lucky thing. Because imagine if you have a back door open in more than 20 million potential open SSH servers hanging on the internet, you have a big problem.

Robert Blumen 00:03:50 What would the attacker have been able to do if this attack had been distributed?

Luis RodrÌguez 00:03:56 As I mentioned, there was something like more than 20 million open SSH servers hanging on the internet. That means that bad actor has access to arbitrary commands of the selective targets. He could wreak havoc in a lot of places. The problem was contained, but it could be much worse than it was at the end. This is the ending of the thing, but the problem is that it opened a lot of can of worms. What happened if this is not the unique backdoor popular system in hanging on the internet? This is the, which we’re taking into account right now.

Robert Blumen 00:04:36 Now have raised a point that there could be other similar attacks that have not been detected. I do want to come back to that question, but before we go there, I’d like you to describe how the attack was detected.

Luis RodrÌguez 00:04:52 Passwords developer named Andres Freund, who detected a bad performance issue with the SSH server he was testing. He detected that logging took half a second, more than usual. So he decided to investigate, to perform some internal research on that. First, he extracted from the turbo, from the distribution turbo for the open SSH. He tried to look something there, but he found nothing, nothing relevant. He then performed some performance testing with the open SSH service, and he found that there was a library, which was LCMA library, which was acting as a CPU hook. And he made some debugging, and he detected that the library was doing something strange, which was modifying the system library and modifying the table for functions and injecting a different function, which was the pre authentication function that the SSH uses for validation of the public key presented by the client.

[...]

Original source

Reply