UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Secret Backdoor Found in XZ Utils Library, Is ubuntu touch affected?

    Scheduled Pinned Locked Moved Support
    3 Posts 2 Posters 610 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • C Offline
        Charly
        last edited by

        Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros.
        Is ubuntu touch affected?

        Greetings
        Charly

        UT 20.04 on Volla X23

        arubislanderA 1 Reply Last reply Reply Quote 0
        • arubislanderA Offline
          arubislander @Charly
          last edited by arubislander

          @Charly This is a great question! The short answer is 'no'. The version of the library available in the repositories used by UT does not contain this vulnerability.

          The long answer is more interesting. According to the The Hacker News article I read, the vulnerable library versions are 5.6.0 and 5.6.1. The vulnerability seems to involve potentially exposing SSH services to unauthorized access.

          Opening the Terminal app and running apt-cache policy xz-utils on Focal gives the following output:

          phablet@ubuntu-phablet:~$ apt-cache policy xz-utils
xz-utils:
  Installed: (none)
  Candidate: 5.2.4-1ubuntu1.1
  Version table:
     5.2.4-1ubuntu1.1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
        500 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 Packages
     5.2.4-1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages
phablet@ubuntu-phablet:~$

          As you can see Focal carries version 5.2.4 of the library. Notice that the library isn't even installed by default, which would be the case for most users. Furthermore even if it were installed, SSH is also disabled by default, unless you have enabled Developer mode in the System Settings, which most users will not have done.
          Additionally, even with Developer mode enabled, some ports still require the user to manually start the SSH server for use, on every reboot. Then even after all of this would be in place, a malicious actor would need to be on the same network your device is connected to by WiFi to even attempt to exploit this vulnerability, as the SSH daemon on UT does not listen on the mobile network interface. (That is one reason you should be mindful when connecting to public WiFi)
          So an out of the box install of UT is not affected by this vulnerability.

          What about applications that install and use their own version of the xz library? As long as they are confined and do not start their own SSH server using the library, then this vulnerability would also not be able to be exploited.
          Unconfined apps could potentially install a compromised version of the library system wide, but unless they also start an SSH server, and configure it to listen on the mobile interface, they would still face most of the challenges mentioned above.

          πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
          Happily running Ubuntu Touch
          Google Pixel 3a (20.04 DEV)
          JingPad (24.04 preview)
          Meizu Pro 5 (16.04 DEV)

          C 1 Reply Last reply Reply Quote 3
          • C Offline
            Charly @arubislander
            last edited by

            @arubislander
            Thanks for the fast answer!

            Greetings
            Charly

            UT 20.04 on Volla X23

            1 Reply Last reply Reply Quote 0
            • CiberSheepC CiberSheep moved this topic from 20.04 Focal Fossa on
            • First post
              Last post