Hello and welcome to the Monday, April 1st, 2024 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, I'll do something a little bit different today and that's covering only one individual topic on Friday, Andrus Freund did publish a mailing list post to the

open source security mailing list, and in this post, Andrews Freund did explain his work in discovering

a backdoor in the popular XC Util package.

XC Utils includes a popular compression library and utilities to use this library.

The backdoor itself was actually in the compression library, and then, of course, potentially by running the tools,

you could start the back door, but that's not actually how it works. This backdoor specifically

targets System D. System D is used to launch various demons, and the way the back door works is that essentially

it waits for connections to the SSH demon.

And no, it's not one of those simple, hey, you connect with the right key and you are logged

in.

It's a bit more complex in that it looks for the right key, but then actually executes

code that is being sent by the user, so the user actually never logs in.

So again, version 560 and 561 are affected.

Luckily, these versions were released relatively recently. So for the few versions

that are affected, like for example, Arch Linux and Kali Linux, they're only affected if you

update it within approximately the last week. You're also not affected if you are running on a processor other than x86-64,

so all your Raspberry Pi users are not affected. And in Mac OS, if you are using HomePro

to install packages, you may have received the backdoor version last week, but this particular backdoor

was actually not included based on how this particular version was created. And with that,

let's talk a little bit about the history and sort of what we currently know about what exactly

...