XZ Utils and Talos Linux (CVE-2024-3094)

As you’ve probably heard there was a sophisticated back door discovered as part of the liblzma decryption library. This back door is intended to allow a malicious actor to remotely execute code on a system via a special SSH public key.

Talos Linux is not vulnerable to this CVE, and does not ship with xz installed. We do use xz utilitiy in our build system, we have reverted back to a non-compromised version of xz utilities out of an abundance of caution.

The exploit requires some very specific attributes to be true for it to work, none of which apply to Talos Linux. The main required components are:

  1. Has SSH enabled
  2. Uses systemd
  3. Requires glibc
  4. An RPM or DEB based distro

Talos doesn’t have SSH

The exploit uses an authentication call to sshd with a specific RSA public key to trigger the remote code execution (RCE). This behavior is a standard way that SSH authenticates users and is usually more secure than username and password authentication.

As this exploit shows, it’s still not perfect. Securing SSH authentication and securing how SSH interacts inside the system are two different things. Even if all of your users use the most secure form of authentication an exposed SSH server can still be vulnerable.

You can hide SSH in private networks and VPNs, but that still doesn’t eliminate the vulnerabilities.

Talos is not a general purpose Linux distribution. It works with Kubernetes and has an API with public key authentication. This is the same type of authentication that Kubernetes and much of the internet uses.

It is minimal and does not have any of the binaries that are often used for exploitation. There is no shell in Talos and you can’t run a reverse shell without a shell.

Talos doesn’t use Systemd

Talos doesn’t use systemd. This was a key part to the exploit in the CVE as lzma passed code to be executed to systemd which would then run at the highest privileges. Systemd is a general purpose and complex Linux init system that is extremely powerful.

With great power comes great responsibility. The more complex the system is the harder it is to validate the interactions between components. This is not systemd’s fault, this is just a fact of building highly customizable systems.

Talos has a much simpler init system because it’s not designed to be general purpose. It’s designed to run Kubernetes components. This reduced attack surface helps us focus on providing the best Kubernetes operating system available without bending a general purpose init system to fit our needs.

Talos uses musl

The exploit inspects the running system to verify it uses glibc for it’s C library and Linux API. Talos Linux uses musl libc for it’s Linux system call library. It has been using musl since 2018 with great success.

The operating system C interface does not limit what you run in your containers. If your applications are compiled with glibc they still run perfectly on top of Talos. Other popular Linux distributions such as Alpine also use musl to keep the system packaging and OS as small as possible.

Using musl has various benefits for us. The most important is the fact that you can call Talos “Linux” and it is not “GNU/Linux.”

Talos doesn’t have packages

As part of the exploit chain lzma would check if the operating system had a package manager using .deb or .rpm packages. This was specifically targeting Debian and Red Hat based distributions including Ubuntu and Amazon Linux.

Talos doesn’t have a package manager. All files on the system are built from source and copied to the file system at build time.

Talos provides system extensions which are immutable file system layers that are combined with the base OS, but these are not general purpose packages. They cannot be change after system boot and instead are used as composable immutability like containers.

You can create composed, bootable artifacts with the image factory.

Conclusion

Talos Linux does more than just reduce patching toil. It takes a security first approach to Linux and eliminates entire classes of security vulnerabilities through it’s single purpose and minimal approach.

If you’re tired of patching come give Talos a try.

Subscribe!

Occasional Updates On Sidero Labs, Kubernetes And More!

Hobby

For home labbers
$ 10 Monthly for 10 nodes
  • Includes 10 nodes in base price
  • Limited to 10 nodes, 1 user
  • Community Support

Startup

Build right
$ 250 Monthly for 10 nodes
  • Includes 10 nodes in base price
  • Additional nodes priced per node, per month
  • Scales to unlimited Clusters,
    Nodes and Users
  • Community Support

Business

Expert support
$ 600 Monthly for 10 nodes
  • Volume pricing
  • Scales to unlimited Clusters,
    Nodes and Users
  • Talos Linux, Omni and Kubernetes support from our experts
  • Business hours support with SLAs
  • Unlimited users with RBAC and SAML

Enterprise

Enterprise Ready
$ 1000 Monthly for 10 nodes
  • Business plan features, plus...
  • Volume pricing
  • 24 x 7 x 365 Support
  • Fully Managed Option
  • Can Self Host
  • Supports Air-Gapped
  • Private Slack Channel
On Prem
available

Edge

Manage scale
$ Call Starting at 100 nodes
  • Pricing designed for edge scale
  • 24 x 7 x 365 Support with SLAs
  • Only outgoing HTTPS required
  • Secure node enrollment flows
  • Reliable device management
  • Can Self Host On Prem
  • Private Slack Channel
On Prem
available