iFunc'd Up! Or, Why you should stop blaming xz-utils for CVE-2024-3094
About the Speaker
Security Researcher at Independent
Robert French is the Grinch of computing. He hates it when your systems are up, and loves it when unplanned outages cause you to miss your kids' soccer games. His ideal morning involves waking up to news of major cyberattacks, outages, or general panic across the internet. He thinks Y2K was a disappointment, but is very excited about the Year 2038 Problem.
Presentation Resources
CVE-2024-3094, more commonly known as "The xz-utils backdoor", was a near miss for global cybersecurity. Had this attack not been discovered in the nick of time by Andres Freund, most of our planet's SSH servers would have begun granting root access to the party behind this attack. Unfortunately, too much analysis has focused on how malicious code made its way into the xz-utils repo. Instead, I'd like to argue that two longstanding design decisions in critical open source software are what made this attack possible: linking OpenSSH against SystemD, and the existence of GNU IFUNC.