blog に戻る

2024年04月01日 Anton Ovrutsky

Responding to CVE-2024-3094 - Supply chain compromise of XZ Utils

CVE-2024-3094


It seems as though responders cannot catch a break when it comes to 0-day vulnerabilities and supply chain compromise avenues. On March 29th, 2024, the Cybersecurity & Infrastructure Security Agency published an alert regarding a supply chain compromise of the XZ Utils package.

At time of writing, there is no information regarding exploitation of the vulnerability and follow-on post-compromise activity. However, it is still prudent and recommended to identify vulnerable versions of this package in your environment and upgrade as soon as possible.

Read on to learn how to accomplish this, and how the various features of Cloud SIEM can help security teams respond to this threat.

Identifying vulnerable XZ Utils versions

For customers who may not have a vulnerability scanning appliance in place or simply wish to perform an ad-hoc or secondary scan on sensitive hosts to confirm whether vulnerable versions of XZ utils exist, we can utilize Software Bill of Materials (SBOM) tooling.

One example of such tooling is Distro2Sbom. Let’s take a look at how this tool works and how it can work with Sumo Logic in order to find vulnerable XZ Utils across your environment.

We first need to install the tool with a simple PIP command:

pip install distro2sbom

We can then go ahead and issue the below command, to find and catalog XZ Util package versions:

distro2sbom --distro auto --package xz-utils --format json --output-file "$(hostname -s).json"

The output of this command will be a JSON file named after the host on which it was run – the JSON structure (visualized with JSONCrack) will look something like this:

JSON structure (visualized with JSONCrack)

We can see the packages JSON element which contains a list of packages that make up the XZ-Utils binary. Most critical for us, the JSON element also contains the relevant version information for the package.

the packages JSON element which contains a list of packages that make up the XZ-Utils binary

In addition to this information, we also get information regarding the relationships between the various packages for further advanced analysis.

Information regarding the relationships between the various packages for further advanced analysis

Now that we have our JSON files containing SBOM information, targeting the XZ-Utils package specifically, we can transfer these JSON files to a centralized host with the Sumo Logic Collector installed.

As a next step, we’ll be ingesting these JSON files into the Sumo Logic platform for further analysis.

Our collection configuration will look like this:

Collection configuration

Once we have the files ingested, we can look at the following query:

_sourceCategory="SBOM" 
| json "packages[*].name" as package_name nodrop
| json "packages[*].versionInfo" as version_info nodrop 
| where jsonArrayContains(package_name,"xz-utils") and (jsonArrayContains(version_info,"5.6.0") OR jsonArrayContains(version_info,"5.6.1"))
| extract field=_sourcename "(?<hostname>([^\/]+)\/?).json" multi
//| values(hostname) as vulnerable_hosts by package_name,version_info
| values(package_name) as packages,values(version_info) as versions by hostname

In this query, we are extracting the package and package version information from our SBOM JSON file and are matching when the version is 5.6.0 or 5.6.1 which are currently the only two versions flagged as being malicious/backdoored.

We then extract the host name information from the source file name and display the results:

extract the host name information from the source file name and display the results

At this point, we have now identified which hosts contain the vulnerable package and we can proceed to patch and update the host.

If patching and updating is not an option due to system criticality or other factors, we can go ahead and add a list of vulnerable hosts to Cloud SIEM where we can perform an array of powerful actions, including utilizing UBA rules and other functionality to more closely monitor these vulnerable hosts.

An example here would be to utilize a Cloud SIEM First Seen rule to look for first seen SSH connections via AWS VPC Flow logs to hosts that contain the vulnerable package, an example of this type of rule would look like:

Utilize a Cloud SIEM First Seen rule to look for first seen SSH connections via AWS VPC Flow logs  to hosts that contain the vulnerable package

Other platform features can be brought to bear to gain additional visibility into such vulnerable hosts as well, take a look at the link below for some examples:

Learn more about how to respond to remote service appliance vulnerabilities.

Now we know how to quickly gather a software bill of materials (SBOM) inventory from our fleet of hosts and analyze these data in the Sumo Logic platform.

This method prevents the need to execute the binary itself ( xv –version) to check the version information – a step that is obviously not ideal for a binary with a potential backdoor in it. It also prevents the need to parse output from various package managers. For users who are unable to patch their systems, you now have additional material that demonstrates some capabilities found in Cloud SIEM that can keep a closer eye on vulnerable systems.

References and further reading

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Anton Ovrutsky

Senior Threat Research Engineer

Anton Ovrutsky leverages his 10+ years of expertise and experience as a BSides Toronto speaker, C3X volunteer, and an OSCE, OSCP, CISSP, CSSP and KCNA certificate holder in his role at Sumo Logic's Threat Labs. He enjoys the defensive aspects of cybersecurity and loves logs and queries. When not diving into the details of security, he enjoys listening to music and cycling.

More posts by Anton Ovrutsky.

これを読んだ人も楽しんでいます