Clever hack but I guess it was a performance killer so was probably gonna get weeded out.
Mainly posting as a point of interest.
1 Like
I disabled 21, and 22 ports on the firewall after the Virtualmin install to prevent stuff like this and brute forces. A built-in terminal, file manager in Virtualmin with OTP enabled is a great way to maximize the server’s security.
I don’t think we should discount how lucky we were that it was found so quickly. This was an impressive operation spanning years, to exploit a critical package that not a lot of people realized was in the critical path for ssh on many Linux systems.
The guy who found it was much more curious about the change in ssh performance than most people would have been. It could have gone unnoticed long enough to end up stable distros pretty easily, I think. It was already in Debian testing, which is well on the way to stable.
I’m pretty shook about it, even though I don’t run any production servers on experimental/development distro versions (and you’d be crazy to do so).
The whole story is pretty wild, and I think tells us that state actors (hard to guess who in this case, but maybe China or Russia…timestamps of commits hint at eastern Europe) are investing a lot in exploiting the OSS supply chain (that now drives everything in the world, you can’t competitively build software today without relying on huge swaths of OSS code). I’d be surprised if there aren’t other similar exploits that haven’t been discovered in other software. If not already, then they’re certainly being worked on.
1 Like
I appreciate the trust you place in us, and we do have a good security track record (and I also run Webmin on lots of servers and have for about 25 years, and have never had an exploited system via Webmin, thus far), but, realistically, openssh has vastly more development attention being paid to it. I think you can trust openssh at least as much as Webmin.
This wasn’t an exploit of openssh, but an exploit of a bit of hackery that looped systemd into the login process, and systemd depends on liblzma. Presumably there will be some debriefing about whether that kind of interop is really necessary and if so, how to make it safer and lower the attack surface. I suspect the openssh devs are pretty pissed right now that they’re catching flack for code they didn’t write, and probably would not have written.
1 Like
It also reminded me why Open Source communities must be moderated, and pretty strictly. The attack began a couple years ago, with users being abusive to the lone maintainer of the project about not doing things fast enough and not doing what the “community” wanted. And, then “Jia Tan” steps up to “help” the maintainer and relieve the pain of being the lone volunteer maintainer of critical code who’s going through some mental health and life issues. Insidious stuff.
I think I’m going to become more strict about moderation around here, including stuff directed at staff; historically, I’ve mostly only removed stuff that was directed at other users and erred on the side of leaving stuff if it was borderline (some sentimental “free speech” urge). But, making Open Source communities kinder is necessary to avoid this kind of thing, and it starts at home.
So, the line for what counts as abuse around here is moving. Less “benefit of the doubt”, more “be friends or fuck off”.
4 Likes
I’m stealing this post for another forum. Sue me. 
@Joe I don’t have much knowledge of Linux when it comes to development, or writing scripts. I am only a web developer who also has a passion for learning about Linux. I appreciate that you created such powerful engine/management tools as Webmin and Virtualmin. It must have required a lot of knowledge. Especially making a free version when you could have profited from it like other panels. It is like a gift to the Internet, which is inspirational.
If I had similar knowledge (including Perl) would gladly become a contributor. But I don’t think I will have time to become one. Web development alone requires lots of knowledge and time. Especially learning new stuff as technology and programming languages continue to improve. At the end of the year, I am going to choose Virtualmin Pro Unlimited to launch a shared hosting project with my own control panel designed from scratch which will use Virtualmin API.