I am so sick and tired of crap security news about Android and Linux. In the latest example, GoSecure claims it's discovered Chaos: a Stolen Backdoor Rising Again. Yeah. Right. Let's look closer.
First, we have a neat name. Can't have a security bug these days without giving it a sexy name. But, what is it really?
Well, it requires the attacker to break into the target system by “brute-forcing SSH credentials.” Wait. What? To get this you need someone to log in to your server!?
I've got news for you. If you let someone log in to your system because you used a wimpy password, you're already hosed. But, wait! There's more!
Once your system has already been spread wide open because of your security incompetence, Chaos opens the TCP port 8338. Once more, and with feeling, what the heck?
The only popular uses for port 8338 are for iTunes Radio and QuickStream. What is your server doing on a network that leaves those open? If you were running a Mac server -- spoiler alert, Apple's killing the macOS Server -- I could see having those open. But on a network with Linux servers or desktops? I don't think so.
Next, “Chaos opens a raw TCP socket which checks if incoming packets contain a specific incoming string.” Come on. To open a raw TCP socket in Linux you need to be the root user. So, for this exploit to work, not only must you be fool enough to use a weak SSH password, you also had to use a weak root password.
Attacking via raw sockets is a technique as old as the hills. A quick glance finds that Windows XP could be compromised by it back in 2001. Sysadmins and developers know darn well how dangerous raw sockets are, so when the power for ordinary users to create them is found -- as it was by Google's Project Zero recently -- the raw socket bugs are stomped out with extreme prejudice.
Getting the picture? To get a case of Chaos, you have to be asking for your system to be compromised.
It also turns out that this is an old exploit. GoSecure reports, “This backdoor first appeared in 2013 as part of the `sebd´ rootkit.” So, after five years in the wild how many victims has Chaos claimed? GoSecure states: “The number of compromised systems turned out to be quite low, below the 150 mark.”
So, maybe there aren't that many idiotic sysadmins after all.
All credit for GoSecure documenting this particular exploit, but the real moral of the story isn't that there's a bad new Linux security problem. There's not. It's that, for the millionth time, if you lock your systems down with good passwords, you can avoid a lot of really stupid security problems.