On Thu, Apr 04, 2024 at 10:58:19AM +0000, Alexander Reichle-Schmehl via IBM TechXchange Community wrote:
> But as you raised the topic with the context of the xz backdoor
> usable via ssh, it is noteworthy to also note, that AIX should not
> affected by CVE-2024-3094.
Thankfully it isn't vulnerable. AIX doesn't use glibc, isn't infected
by systemd, and any embedded x86 byte code wouldn't work on POWER.
I'm asking about the generic case.
------------------------------------------------------------------
Russell Adams
Russell.Adams@AdamsSystems.nlPrincipal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 4/4/2024 6:58:00 AM
From: Alexander Reichle-Schmehl
Subject: RE: AIX and IBM and OSS supply chain attacks
Hi Russel,
I'm not speaking for IBM and can't comment on the core questions you raised.
But as you raised the topic with the context of the xz backdoor usable via ssh, it is noteworthy to also note, that AIX should not affected by CVE-2024-3094.
At the time of writing the exploit requires:
- Package build as deb or rpm (Linux Weekly News has an excellent article how that exploit works),
- OpenSSH using systemd,
- OpenSSH and / or systemd being linked against xz.
Given that none of these constraints are met on an AIX system, it is fairly safe to say, that AIX is not affected by this backdoor, even though an official statement from IBM just for sake of having an official source would be nice.
Best regards,
Alexander
------------------------------
Alexander Reichle-Schmehl
------------------------------
Original Message:
Sent: Wed April 03, 2024 10:26 AM
From: Russell Adams
Subject: AIX and IBM and OSS supply chain attacks
I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.
The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.
As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?
I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.
------------------------------
========================
Russell Adams
https://adamssystems.nl/
========================
------------------------------