[sf-lug] SolarWinds attack compromises run-of-the-mill Linux user? (was: sudo problem for users)

[Michael Paoli]

Well, first of all, don't want to mix up or confuse what you're
asking about.  The SolarWinds mess, and the big sudo security issue
are for all intents and purposes unrelated.

So, first what you asked:
> Hi, does anyone know if this SolarWinds attack compromises the
> run-of-the-mill Linux user?
"It depends", but in general, no.  That particular supply chain attack
was for a security product used typically by large organizations in
conjunction, at least as best I'm guestimating from what I read/skimmed
much earlier, Microsoft's Active Directory (AD) authentication/security
component - typically used to manage, e.g. logins and access, across
small to huge enterprises.  So, impact typical Linux user, in most
cases no.  However, that doesn't mean it couldn't do so via various
indirect means.  E.g. SolarWinds attack leveraged to gain access to
some other vulnerability, potentially directly or indirectly against
Linux.  Or, could be case of Linux host(s) using AD authentication - as
such can be tied in, e.g. via PAM or LDAP.
But as a general rule, no *direct* impact to Linux, and as for
by other means / indirect ... "it depends" - but not typically.

And, in case you meant to ask about the earlier sudo breach, that would
impact most all Linux hosts, as most Linux distros would have sudo, and
most would typically have sudo installed.  The issue was local privilege
escalation.  Any user/ID having local access, and with the vulnerable sudo
installed - even without permissions to use sudo, but to just run the
sudo binary(/ies), said user/ID could escalate to root - hence a fairly
big deal, and one best to be patched/updated/fixed promptly.  But not
remotely exploitable ... but still pretty serious, especially in regards
to what could be gained locally (root - total control of the host), and
how relatively easily.

> From: "Christian Einfeldt" <einfeldt at gmail.com>
> Subject: Re: [sf-lug] sudo problem for users
> Date: Wed, 17 Feb 2021 00:01:38 -0800

> Hi, does anyone know if this SolarWinds attack compromises the
> run-of-the-mill Linux user?
>
> On Mon, Feb 1, 2021 at 8:21 PM Michael Paoli <Michael.Paoli at cal.berkeley.edu>
> wrote:
>
>> > From: "Bobbie Sellers" <bliss-sf4ever at dslextreme.com>
>> > Subject: [sf-lug] sudo problem for users
>> > Date: Mon, 1 Feb 2021 12:13:13 -0800
>>
>> >     I checked and no one has noted anything about this problem.
>>
>> Well, I saw it, acted in timely manner - including notifying relevant
>> co-workers, and appropriate timely action was generally taken.
>>
>> I thought about posting it to one of the LUG lists or something like that,
>> but I figured for the most part, those that were particularly interested
>> in it and cared about about it, already knew.  Most any reasonable distro
>> with reasonable security alert mechanisms, it was there well to see in
>> quick order - that's where I first spotted it - or at least I'd presume
>> that was generally the case.
>> Let's see ... hit my "inbox" at ...
>> Received: ... Tue, 26 Jan 2021 10:06:34 -0800 (PST)
>> Anyway, can't find it now, but there was mention in at least one
>> bit I read on a specific coordinated embargo/release time (wan't thinking
>> to particularly note/remember it at the time - but I thought it said
>> something
>> about 6pm ... but I don't recall mention of timezone ... looking at
>> that bit from my Received header, I'm guestimating it may have been
>> 6PM / 18:00 UTC / GMT0 on 2021-01-26) - so once that
>> time hit, essentially everyone that had security fixes or (to be) public
>> releases/advisories - that all basically hit right at or very shortly
>> after that time - so I think most picked up on it quite right away,
>> and of course the security news articles and the like followed fairly
>> shortly thereafter.