On 2024-03-30 18:49, Baptiste Jonglez via cfarm-users wrote:
Hello,As you probably have heard, a seriously compromised version of xz-utils and liblzma successfully made its way into Debian unstable and testing: https://lists.debian.org/debian-security-announce/2024/msg00057.html https://www.openwall.com/lists/oss-security/2024/03/29/4 According to our investigation, only a single machine of the cfarm has been using the compromised packages: cfarm421. As a remediation, we have updated the xz-utils packages on Fri Mar 29 17:23 UTC and rebooted the host. Nobody seems to know yet what the malicious payload was doing exactly, except that it targeted sshd. If the malicious payload was allowing a specific SSH key from an attacker, it would have been hard to exploit because of the custom SSH port on cfarm421 and the relatively shorttimespan for exploitation (from 2024-03-18 to 2024-03-29). We have foundno trace indicating that the system has been compromised. If you have been connecting over SSH to cfarm421 since it was made available on the farm, you should be aware that you have connected to a sshd daemon that was running a malicious payload. We should hopefully learn in the coming days whether this is a serious problem or not. Regards, Baptiste, for the cfarm admin team _______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
Unfortunately cfarm420 was also affected, as I found out. cfarm420 is running Arch Linux. As an emergency remediation, the package "xz" was upgraded to 5.6.1-2 at 2024-03-30T01:34:39+0000. No one was logged in at that time. No trace of compromise is found so far in journald. During which I also found that cfarm420 wasn't very popular anyway judging by the number of ssh login attempts...
https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.archlinux.org/archives/list/arch-annou...@lists.archlinux.org/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/Other packages were also upgraded in the process, notably "curl" (8.7.1-3), "linux" and "linux-headers" (6.8.2.arch2-1). A reboot was done afterwards.
Let's hope this compromise doesn't turn out to be a serious issue in the end. Among the 3 hosts I maintain, cfarm421 is the most popular, followed by cfarm420 and cfarm422. Note that despite the "official" custom SSH ports (2242x) are announced on the machine list, it is still possible to connect to these 3 hosts using the standard SSH port 22 over IPv6 only. This has been undocumented.
-- Jing Luo About me: https://jing.rocks/about/ PGP Fingerprint: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
