GoKawiilIFUNC'd up
Why you should stop blaming xz-utils for CVE-2024-3094. Also check out my ETSA Talk!
CVE-2024-3094, more commonly known as "The xz-utils backdoor", was a near miss for global cybersecurity. Had this attack not been discovered in the nick of time by Andres Freund, most of our planet's SSH servers would have begun granting root access to the party behind this attack.
Unfortunately, too much analysis has focused on how malicious code made its way into the xz-utils repo. Instead, I'd like to argue that two longstanding design decisions in critical open source software are what made this attack possible: linking OpenSSH against SystemD, and the existence of GNU IFUNC.
Before You Start: Much of this discussion deals with the intricacies of dynamic linking on Linux. If you need a refresher, check out dynamic_linking.md .
Quick Recap of CVE-2024-3094
There are tons of good writeups outlining the high level details of the xz-utils backdoor, like Dan Goodin's What we know about the xz Utils backdoor that almost infected the world and Sam James' FAQ on the xz-utils backdoor (CVE-2024-3094) gist. We don't need to rehash all that here, so the purposes of this article, here is a very coarse recap:
Some Linux distros modify OpenSSH to depend on SystemD
SystemD depends on xz-utils, which uses GNU IFUNC
Ergo, xz-utils ends up in the address space of OpenSSH
... continue reading