Hi all,
This is serious…SSHd has been compromised…
Watch your back…and update your system…
This is a serious problem is SSHd is reachable to anyone on your server.
Bas.
If you only heard about it now, you may as well forget about it. As far as I’m aware all Linux distros have taken measures meanwhile removing the affected versions from their package repositories. No major Linux distro was carrying the compromised version in a stable release.
While this has been a very serious incident with potentially devastating consequences, it was caught before it could spread widely. There are also no known cases of the backdoor having lead to any breaches.
Last but not least, your wording is a bit “hyped”. While the backdoor was targeting sshd, what was compromised was not sshd itself, but xz-utils.
6 Likes
Seems Debian stable was never affected, so I’m happy 
3 Likes
And only on Linux with systemd - as far as i know.
Not exactly. It was/is a stepping stone by which sshd got linked to libxz. It seems the malicious code was targeting Debian and derivatives as well as RPM based distros. But that may as as well have only been the first step.
1 Like
I had only in mind that Debian is pathing something in libsystemd which depends on libxz or so.
“openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.”
As you mention most linux have updated or haven’t been affacted from this because they used an older version then 5.6.x
I was glad too that Debian (stable) wasn’t affacted
Plus, the way of providing systemd notifications differs per distro. Upstream openssh recommends implementing systemd-notify independently, while downstream distros prefer re-using what’s already there. But, since systemd-notify is not a standalone library, it pulls in the entire systemd stack, while the notify mechanism itself doesn’t even need libxz.
Bottom line: there are lessons to be learned from this all around.
3 Likes