DevSec Selection #5 – XZ Backdoor, Damn Vulnerable RESTaurant

April 11, 2024

Intro

Hi!
Most of the news from last week was related to the XZ backdoor, so I selected the two most interesting articles on this topic. The first article presents a less technical debate about the problem of backdoors in open-source software, written by lcamtuf. The other article is highly technical and describes a bash-stage obfuscation of the backdoor.

Moreover, you can find excellent resources for implementing authentication mechanisms in web applications and for understanding the security aspects of CI/CD.

Last but not least, I released my latest project – Damn Vulnerable RESTaurant. It focuses on identifying and fixing web API security vulnerabilities. It offers an interactive challenge for developers and provides exploitation opportunities for ethical hackers.


Materials

This great article presents the daring plot to plant a backdoor in the liblzma compression library, a dependency of OpenSSH. A mysterious developer named Jia Tan emerged to maintain the library and slipped in a backdoor targeting OpenSSH. The intricate scheme involved manipulating Linux distros to distribute the compromised library. The incident highlights the challenges faced by maintainers of small foundational open-source software, and the complex nature of cybersecurity threats. Professional actors, possibly state-sponsored, are suspected behind the operation. The article raises concerns about the lack of resources and support for maintaining critical open-source projects. It suggests that the issue goes beyond technology and requires a counterintelligence approach. The saga underscores the need for vigilance in the open-source community and the involvement of governments and tech giants in addressing such threats.


A guideline for implementing authentication in web applications, covering topics like server-side tokens, sessions, password authentication, and more. It emphasizes utilizing OWASP Cheat Sheet Series for comprehensive security. Created by Pilcrow, it’s a free, open-source, community-maintained resource to enhance web app security.


This informative article by Gologic and Alexandre Cou delo explores the crucial security measures needed for DevSecOps CI/CD pipelines. It emphasizes the importance of developer and workload identity verification, secure artifact storage, supply chain vulnerability mitigation, and more. Secure your software development cycle now to protect your data and business. Great insights for balancing speed and security in software delivery.


This article presents Wiz Research’s partnership with Hugging Face to uncover security risks in AI cloud services. They found risks in shared infrastructure that could lead to cross-tenant access. Wiz uploaded a malicious model, gaining remote code execution via Pickle file and AWS EKS privilege escalation. This highlights the importance of strong security practices in AI service providers to protect sensitive data.


Recently a critical Linux privilege escalation exploit, affecting kernel versions 5.14 to 6.6 was released. The flaw grants root access, impacting Debian, Ubuntu, Red Hat, and more. Patched as CVE 2024-1086, it has a 7.8 CVSS rating. Exploit details shared by Notselwyn with source code available.


This technical article presents the discovery of a backdoor in xz liblzma affecting OpenSSH. It guides how obfuscated bash code was used to extract and execute the backdoor in different stages. Clever obfuscation techniques were employed utilising only commands available in Linux environment.


An introduction to a security code challenge for developers and ethical hackers called Damn Vulnerable RESTaurant. It focuses on identifying and fixing web API security vulnerabilities, offering interactive challenges for developers and exploitation opportunities for ethical hackers. The game includes various vulnerabilities following OWASP’s API Security Risks 2023 list. Check it out on GitHub and start playing to enhance your skills.

Interesting Article?

Join DevSec Selection!

DevSec Selection is a bi-weekly Newsletter with the latest outstanding articles related with DevSecOps and application security.


Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments