____________________
Summary: The XZ Utils Data Compression Library has a vulnerability that impacts multiple Linux distributions. It is recommended to downgrade to an uncompromised version or migrate to updated releases.
Key Points:
* The vulnerability, CVE-2024-3094, has a critical severity level.
* The vulnerability is a result of a supply chain compromise in versions 5.6.0 and 5.6.1 of XZ Utils.
* Palo Alto Networks provides various product protections and updates to defend against this threat.
* Cortex XDR and XSIAM agents help protect against post-exploitation activities.
* Prisma Cloud has detection capabilities to prevent the launch of images with the vulnerability.
* Additional resources and support are available from Palo Alto Networks.
____________________
Executive Summary
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised people to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
The newly disclosed vulnerability has been assigned the following CVE:
CVE Number | Description | CVSS Severity |
CVE-2024-3094 | Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. | 10.0 Critical |
Palo Alto Networks customers are better protected from and can implement mitigations for CVE-2024-3094 in the following ways:
- Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.
- Prisma Cloud has out-of-the-box detection capabilities in place that will help prevent the launch of images with CVE-2024-3094.
- The Unit 42 Managed Threat Hunting team is monitoring attempted malicious activities against our customers. The XQL query shared in that section below can also be used by Cortex XDR customers to search for affected versions of XZ Utils.
- The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Table of Contents
Details of CVE-2024-3094
Affected Versions and Mitigation Actions
Conclusion
Unit 42 Managed Threat Hunting Queries
Palo Alto Networks Product Protections for the XZ Util Vulnerability
Cortex XDR and XSIAM
Prisma Cloud
Additional Resources
Details of CVE-2024-3094
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the latest versions of XZ tools and libraries. XZ Utils is data compression software included in major Linux distributions.
Versions 5.6.0 and 5.6.1 of the libraries contain malicious code that modifies functions during the liblzma build process. Liblzma is a data compression library.
This malicious code results in a compromised liblzma library, which may modify or intercept data from other applications that leverage the library. Under certain conditions this code may allow unauthorized access to affected systems.
A security researcher, Andres Freund, found the malicious code when he saw failing ssh logins using high CPU loads. When researching the cause of the high CPU utilization he then also noticed slower logins which led to further exploration and discovery of the vulnerability.
Affected Versions and Mitigation Actions
All major Linux distros recommend either reverting back to versions built prior to the inclusion of XZ Utils 5.6.0 and 5.6.1 or migrating to updated releases.
Please check the notification page for your specific distribution for additional updates and guidance.
Distro | Affected Version |
Red Hat | Fedora Linux 40 and Fedora Rawhide |
Debian | No Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. |
Kali | The impact of this vulnerability affected Kali between March 26-29. If you updated your Kali installation on or after March 26, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before March 26, you are not affected by this backdoor vulnerability. |
OpenSUSE | OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th 2024. |
Alpine | 5.6 versions prior to 5.6.1-r2 |
Arch |
|
Additionally, HomeBrew package manager is forcing downgrades to 5.4.6. They do not believe Homebrew’s builds were compromised but are taking this action as a precaution.
Amazon has stated that Amazon Linux customers are not affected by this issue, and no action is required.
Conclusion
Unit 42 will continue to monitor the situation and will update this post as more information becomes available.
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempted malicious activities across relevant Linux distributions used by our customers, using Cortex XDR and the XQL query below. Cortex XDR customers can also use this XQL query to search for affected versions of XZ Utils.
config case_sensitive = false
| preset = host_inventory_applications
| filter (application_name contains “XZ-UTILS” AND version = “5.6.0”) OR (application_name contains “XZ-UTILS” AND version = “5.6.1”)
//This query searches for XZ Utils versions 5.6.0 or 5.6.1, requires the Hosts Insight module. config case_sensitive = false | preset = host_inventory_applications | filter (application_name contains “XZ-UTILS” AND version = “5.6.0”) OR (application_name contains “XZ-UTILS” AND version = “5.6.1”) |
Palo Alto Networks Product Protections for the XZ Util Vulnerability
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America Toll-Free: 866.486.4842 (866.4.UNIT42)
- EMEA: +31.20.299.3130
- APAC: +65.6983.8730
- Japan: +81.50.1790.0200
Cortex XDR and XSIAM
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Prisma Cloud
Prisma Cloud has out-of-the-box detection capabilities in place that will help prevent the launch of images with CVE-2024-3094. Prisma Cloud’s agentless approach provides you with a comprehensive lifecycle overview from Code Repository to Cloud and simplified filter options that enable you to identify vulnerable hosts, high privilege access and potential exposure to the internet. Additionally, its defender component or pipeline integration offer real-time insights and protection capabilities, enabling you to prevent the launch of images with the CVE or detect and prevent anomalous behavior. Our researchers validated this capability relative to this CVE by committing a Dockerfile and then triggering a CI/CD pipeline to build and deploy the Docker image.
Additional Resources
Get updates from
Palo Alto
Networks!
Sign up to receive the latest news, cyber threat intelligence and research from us
Source: Original Post