What's the worst that could have happened had xz gone unnoticed?

Question

Like many, I've been reading about the deviousness of the xz exploit and understand it would give the author the ability to run arbitrary code on machines that had it installed.Had this gone unnoticed, over, say, the next 12-36 months, what could have occurred if a maximally malicious actor did their worst? (assuming a variety of motivations - e.g. desire to attack rival state(s) a la stuxnet, greed, pure vandalism, other)I suspect without additional exploits to get through other security layers on critical infrastructure, things like launching nukes from silos/submarines, running carriers ashore, mass deleting icloud/google drive/onedrive would be out of the question. (that's a guess).It's not known who's responsible, nor their motivations, but at least in theory, what are some of the worst cases that could have happened had the exploit gone unnoticed?

dagelf · Accepted Answer

All of the above, stealing of money, secrets, AI model weights, destruction, access to crypto passphrases, spam, impersonation, blackmail ... maybe not directly to systems with good security, but its like picking a lock, every bit of progress helps, security exists in layers, and one weak layer compromises the next... ssh is a pretty fundamental technology, and highly trusted.There are wonderfully colorful podcasts about this. Darknet Diaries is pretty decent, and entertaining, for public consumption.

yogorenapan · Answer

The attacker would probably want to keep the exploit hidden, thus probably restricting themselves to data exfiltration rather than outright obvious attacks. Considering that&rsquo;s it&rsquo;s a state actor, perhaps people arrested and dark web sites shut down.

photonthug · Answer

SSH access is scary of course but lots of the machines involved would probably still be inaccessible in private networks. Other payloads for exfil scare me more.What freaks me out is the idea of every android on the planet being compromised overnight. Since you can&rsquo;t effectively opt out of updates these days, and since decompression tools are going to be involved with elevated privileges, it feels like we were pretty close to that kind of worst case

sitkack · Answer

Massive worm that would be nearly impossible to shutdown.
DC and Cloud takeover due to hitting an ssh bastion host.
Infecting codebases via compromised sshd+git. We really should be signing all of our commits.

ramses0 · Answer

The "payload" was devious in that it basically said: if $ssh_key && $payload.sig && $host.sig
Can't (easily) be replayed with a network capture against a different host or with a different payload, and can't be triggered without a specific key. Truly laser-like in focus.
My personal theory for "next step" would be: if uncompressing.contains( "linux" || "curl" ) => $extra.payload()
With such a skilled attack, and the potential to _deeply_ reach arbitrary public systems, imagine the chaos of "ssh github.com && pwn( curl, gzip, git, node, ... )"
...each stealthier than the last. Most SHA-sums are against the archive, not the individual file contents. An untrustable archiver or network transfer tool (especially in combination!) is terrifying...

What's the worst that could have happened had xz gone unnoticed?

The attacker would probably want to keep the exploit hidden, thus probably restricting themselves to data exfiltration rather than outright obvious attacks. Considering that’s it’s a state actor, perhaps people arrested and dark web sites shut down.

Massive worm that would be nearly impossible to shutdown.DC and Cloud takeover due to hitting an ssh bastion host.Infecting codebases via compromised sshd+git. We really should be signing all of our commits.

Massive worm that would be nearly impossible to shutdown.
DC and Cloud takeover due to hitting an ssh bastion host.
Infecting codebases via compromised sshd+git. We really should be signing all of our commits.