A backdoor has been discovered affecting SSH server deployments. While most people this should not be an issue, and will only affect very bleeding edge installations, it is important to verify you are not vulnerable.
SSH Is the defacto standard for remote access on Linux and is commonly accepted as a safe port to leave exposed on servers hosted on the Internet. Although you should do so using SSH Keys and not just passwords.
The root of the problem (pun intended) is a backdoored library (XZ) that is used by SSH server. This vulnerability has been assigned CVE-2024-3094.
How to verify you are not running a backdoored version
Simply do sudo apt list --installed | grep xz
This should return a result like this:
xz-utils/pikauwu,now 5.4.1-0.2 amd64 [installed,automatic]
If you see version 5.6.x, you are running a vulnerable version of XZ and you should downgrade immediately to 5.4 or 5.5. Fedora just downgraded all their releases to 5.4 and most people will likely be running 5.4.
How to verify multiple machines
Here's a trick if you use ansible, you can check all Linux hosts in your inventory using the shell module.
ansible linux -m shell -a "apt list --installed | grep xz" -K
This will run an adhoc shell on all your linux machines in your inventory and will result in an output like this:
witness07 | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 amd64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness03 | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 amd64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
docka | CHANGED | rc=0 >>
xz-utils/jammy,now 5.2.5-2ubuntu1 arm64 [installed,automatic]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness04 | CHANGED | rc=0 >>
xz-utils/jammy,jammy,now 5.2.5-2ubuntu1 amd64 [installed]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
witness06 | CHANGED | rc=0 >>
xz-utils/jammy,jammy,now 5.2.5-2ubuntu1 amd64 [installed]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Most witness nodes will likely be running 22.04 and will be using 5.2.5 of the XZ library and will be safe.
Although it is unlikely you will have a vulnerable machine, it is worth checking to be sure.
If you want more detail on the vulnerability, this video does a good job explaining it.
You can also read the original discovery of the vulnerability on openwall.
If you are not using ansible, maybe now is a good time to check it out.
I also recommend checking out this excellent breakdown of the events leading up to this vulnerability here.