As you’ve probably heard there was a sophisticated back door discovered as part of the liblzma decryption library. This back door is intended to allow a malicious actor to remotely execute code on a system via a special SSH public key.
Talos Linux is not vulnerable to this CVE, and does not ship with xz installed. We do use xz utilitiy in our build system, we have reverted back to a non-compromised version of xz utilities out of an abundance of caution.
The exploit requires some very specific attributes to be true for it to work, none of which apply to Talos Linux. The main required components are:
- Has SSH enabled
- Uses systemd
- Requires glibc
- An RPM or DEB based distro
Talos doesn’t have SSH
The exploit uses an authentication call to sshd with a specific RSA public key to trigger the remote code execution (RCE). This behavior is a standard way that SSH authenticates users and is usually more secure than username and password authentication.
As this exploit shows, it’s still not perfect. Securing SSH authentication and securing how SSH interacts inside the system are two different things. Even if all of your users use the most secure form of authentication an exposed SSH server can still be vulnerable.
You can hide SSH in private networks and VPNs, but that still doesn’t eliminate the vulnerabilities.
Talos is not a general purpose Linux distribution. It works with Kubernetes and has an API with public key authentication. This is the same type of authentication that Kubernetes and much of the internet uses.
It is minimal and does not have any of the binaries that are often used for exploitation. There is no shell in Talos and you can’t run a reverse shell without a shell.
Talos doesn’t use Systemd
Talos doesn’t use systemd. This was a key part to the exploit in the CVE as lzma passed code to be executed to systemd which would then run at the highest privileges. Systemd is a general purpose and complex Linux init system that is extremely powerful.
With great power comes great responsibility. The more complex the system is the harder it is to validate the interactions between components. This is not systemd’s fault, this is just a fact of building highly customizable systems.
Talos has a much simpler init system because it’s not designed to be general purpose. It’s designed to run Kubernetes components. This reduced attack surface helps us focus on providing the best Kubernetes operating system available without bending a general purpose init system to fit our needs.
Talos uses musl
The exploit inspects the running system to verify it uses glibc for it’s C library and Linux API. Talos Linux uses musl libc for it’s Linux system call library. It has been using musl since 2018 with great success.
The operating system C interface does not limit what you run in your containers. If your applications are compiled with glibc they still run perfectly on top of Talos. Other popular Linux distributions such as Alpine also use musl to keep the system packaging and OS as small as possible.
Using musl has various benefits for us. The most important is the fact that you can call Talos “Linux” and it is not “GNU/Linux.”
Talos doesn’t have packages
As part of the exploit chain lzma would check if the operating system had a package manager using .deb or .rpm packages. This was specifically targeting Debian and Red Hat based distributions including Ubuntu and Amazon Linux.
Talos doesn’t have a package manager. All files on the system are built from source and copied to the file system at build time.
Talos provides system extensions which are immutable file system layers that are combined with the base OS, but these are not general purpose packages. They cannot be change after system boot and instead are used as composable immutability like containers.
You can create composed, bootable artifacts with the image factory.
Conclusion
Talos Linux does more than just reduce patching toil. It takes a security first approach to Linux and eliminates entire classes of security vulnerabilities through it’s single purpose and minimal approach.
If you’re tired of patching come give Talos a try.