top | item 39875330

(no title)

No known consequence, assuming...

(1) changing the RSA decrypt function in OpenSSH is all the code hidden in crc64 does: that's the only known behavior, but we don't know what the changed function does besides letting some authentication through, nor do we know if there are other things it does

(2) there's no malicious machine in your LAN exploiting the RSA decrypt to log onto your sshd: nobody has seen one yet, but it doesn't mean there's no such thing.

If you are not using a distro that does dpkg or rpm, or if your machine is not x86-64, you're free from the "code hidden in crc64", the one that targets sshd, CVE-2024-3094. Are there unknown backdoors? Who knows. Do we count the landlock sabotage as a backdoor?

It's hard to deal with unknowns. Assume the worst, maybe, but what even is the worst?

discuss

treffer|1 year ago

Well, I am skeptical about (2).

It is unclear what exploiting means. The backdoor is doing _something_ for 0.5s if RSA key exchange happens.

So even a valid login might trigger not yet known side effects. It might just tunnel commands over dns for example (DNS being a well known side effect of ssh anyway).

So "exploiting" might mean as little as "used ssh".

puffybuf|1 year ago

Presumably they wanted this backdoor hidden, so they wouldn't want it doing things that could expose it. I'm under the impression it simply modifies memory when sshd loads the xz library, adding its own hooks and just waiting for the proper login signal. I doubt it "phones home" as this could expose its existence, but we'll have to wait until it is analyzed thoroughly.