How much using Qubes would minimize impact of XZ backdoor if it actually got into the stable channel of Fedora/Debian?

jagnopurka · April 2, 2024, 8:21pm

I wonder how much less would the impact be on Qubes compared to a monolithic Linux distro, if XZ backdoor was never detected?

solene · April 2, 2024, 9:00pm

The vulnerability, as of today, is only known to allow to execute remote code through the SSH daemon.

By default, Qubes OS doesn’t run any ssh daemon, and if you did, it would only be in sys-net (or you would have to do port forwarding to the qube with ssh). In worst case scenario, only the qube where ssh is reachable who be compromised.

qubist · April 3, 2024, 3:40pm

if it actually got into the stable channel of Fedora/Debian

It has not got there:

I wonder how much less would the impact be on Qubes compared to a monolithic Linux distro, if XZ backdoor was never detected?

“As of March 29, reverse engineering of the backdoor is still ongoing.” (source)

solene · April 3, 2024, 3:46pm

On this github gist, there are hourly updates about the vulnerability xz-utils backdoor situation (CVE-2024-3094) · GitHub

qubist · April 3, 2024, 5:48pm

Why do you call it vulnerability?
IIUC, it is a backdoor.

illuminati · April 3, 2024, 7:32pm

It’s a RCE vulnerability which was introduced. XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable." | Hacker News

The certificate the attacker uses to authenticate would contain the payload. Some researcher was able to replace the hardcoded certificate check with their own and made a demo repository where you could test the RCE out. Without the correct cert checked for in the original code nobody can exploit the vulnerability unless they modify it.

So yeah it’s kinda both a vulnerability and a backdoor since it’s gated.

adw · April 3, 2024, 10:58pm

Isn’t a backdoor a type of vulnerability?

jagnopurka · April 4, 2024, 9:40am

Vulnerability is unintentional while backdoor is intentional, I believe

adw · April 4, 2024, 11:31pm

Do you have a source for vulnerabilities being unintentional? I haven’t heard of this. For example, Vulnerability (computing) - Wikipedia doesn’t seem to mention unintentionality as a criterion, as far as I can tell.

renehoj · April 5, 2024, 12:29am

If you add the flaw deliberately, it is normally called a bugdoor. The XZ backdoor was not a flaw, the software was working as intended.

solene · April 5, 2024, 8:51am

I call this bikeshedding.

ivory_430 · April 6, 2024, 2:27am

can some1 remind me please what it’s called when open source deliberately used as trust source and then inject some malicious code into it?

gonzalo-bulnes · April 6, 2024, 7:04am

Moderation note—to all concerned: this vocabulary battle is off-topic, please either reply to the OP or refrain from posting further in this thread.

ivory_430 · April 6, 2024, 11:29am

OK sorry