Operating systems: In addition to the operating systems that were mentioned in the last update we shared, the following version(s) of OS are also relevant to the CVE:
- Arch * installation medium 2024.03.01 * virtual machine images 20240301.218094 and 20240315.221711 * container images created between and including 2024-02-24 and 2024-03-28
Visibility:
In addition to the hunting queries provided as part of our latest update, we also created a visibility dashboard that can be used by your security teams to identify and track direct incoming network connections over the SSH protocol from external IP addresses (same logic as Hunting Query 1 from our previous update). You can access this dashboard by navigating to Hunters Portal —> Data —> Visibility —> “XZ Utils - CVE-2024-3094 - Hosts with incoming SSH traffic from an external source (Last 7 Days)”
General Recommendations - Update: As we mentioned in the previous update, some of the OS vendors published additional patching recommendations. Please be aware of those as well.
The team is still tracking the XZ CVE and will publish an update in case needed. If you have any questions, please do not hesitate to reach out to us.
Sincerely, Team Axon.
Posted Apr 01, 2024 - 15:24 UTC
Update
Team Axon evaluated the risk of the recently published supply chain attack related to XZ Utils (CVE-2024-3094). Here are some relevant insights, recommendations, and hunting queries. Be aware that additional insights and findings related to this CVE might be identified in the future, hence, please keep tracking the Rapid Response updates.
General Important Insights
- Even though the details of this backdoor are not fully disclosed yet, one of the main aspects we recommend focusing on are public interface of sshd (ssh port open to the internet). From the details we have by now, it is possible that this backdoor can potentially allow RCE (Remote Code Execution) against any host that is accessible over ssh protocol and uses sshd that utilizes the vulnerable xz utils.
- MacOS is not being widely discussed as a potential vulnerable OS to CVE-2024-3094 by now, probably because of an indication of checks that are being conducted as part of the malicious code, to specifically target Linux OS. However, there is still no certainty regarding this aspect. It worths mentioning that the “homebrew” package manager already had versions 5.6.0 and 5.6.1 of “xz” available, which potentially led to downloads of the vulnerable versions to MacOS devices as well.
Recommendations
- Make sure you don’t have any publicly-facing organizational assets that allow incoming SSH access (“sshd”). - In case this kind of access is mandatory for specific organizational hosts, please make sure to carefully monitor any suspicious activity related to them, and of course to make sure they don’t have the malicious “xz” versions installed on them. - Pay careful attention to hosts that had/have the vulnerable version installed. - for hosts on which the vulnerable version was installed, It is recommended to check for any sensitive information or sensitive keys/credentials on the relevant hosts. - for hosts on which the vulnerable version was installed, It is recommended to conduct a rotation of any credentials found on the relevant hosts. - Currently, the affected “xz” versions are known to be 5.6.0 and 5.6.1. Hence, it is highly recommended to downgrade the xz versions available in your organization to a previous version to avoid using the vulnerable code. (as recommended by CISA: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094) - Some OS vendors already published OS patches that seem to include the fix (e.g. downgrade of xz utils). Patching using the dedicated patch is of course also a potential recommendation that addresses the same issue. - MacOS homebrew also provided the option to install a vulnerable version of xz utils, before reverting back to an older version of “xz” as a result of the identified backdoor. Hence, It is recommended to make sure to downgrade vulnerable versions that were installed on operating systems that are not included in the OS versions list below. - For now, we recommend avoiding any execution of the “xz” command in case the "xz" version is unknown before the execution, since the full details regarding the malicious code are not yet disclosed, and there are potentially additional backdoor implementations. - Track and take into consideration the recommendations of the specific OS vendors of the operating systems that had the malicious “xz” version installed.
Known Affected Versions
From the details we have so far, these are the vulnerable OS versions:
- Red Hat Fedora 41 - Red Hat Fedora Rawhide - Red Hat Fedora 40 Beta - Debian - 5.5.1alpha-0.1 (and potentially up to and including 5.6.1-1) - Kali Linux - Installations updated between March 26th to March 29th - OpenSUSE - Tumbleweed snapshot 20240328 and earlier versions - Alpine - Affected Version: 5.6.0 5.6.0-r0 5.6.0-r1 5.6.1 5.6.1-r0 5.6.1-r1
Note: this list might not be the final one. Additional OS versions might be added in the future. Note: MacOS is not officially known to be vulnerable at the moment, however as mentioned above, “Homebrew” package manager - included the vulnerable versions of “xz”, hence we recommend evaluating this risk as well.
Please, also follow any additional recommendations from the official OS vendors themselves, that might include distribution-specific recommendations.
Hunting Queries
Even though the full potential exploitation details are not yet available, exploitation using SSH connections from external IP addresses for potential RCE is a main concern we have at the moment. Hence we created the two following queries:
Note: Please be aware that there might be additional exploitation methods that aren’t necessarily related to “sshd”, and haven’t been disclosed yet.
The team will notify you of any actionable new details. If you have any questions, please do not hesitate to reach out to us.
Sincerely,
Team Axon.
Posted Mar 31, 2024 - 17:01 UTC
Investigating
Dear customers, Team Axon is aware of the recently published XZ utils vulnerability, CVE-2024-3094, and is investigating its impact and potential implications. At this moment, we are not aware of a wide exploitation of the vulnerability.
The team will release more technical information, alongside tools to detect potential compromise, later today. In addition, the team is proactively hunting on customers' environments to detect successful exploitations of the vulnerability and will directly alert the impacted customers.