BLOG

Expert insight, best practices and advice on SecOps and CSMA

Does the XZ Utils Backdoor (CVE-2024-3094) Put You At Risk?

Biran Franco
April 02 2024

A Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. How can you assess if this vulnerability puts your organization at risk?

What is CVE-2024-3094?

This is a critical vulnerability within the XZ Utils library (a command line tool for compressing and decompressing XZ files within Linux distros), that can serve as a backdoor, potentially granting unauthorized access through SSH authentication bypass and allowing remote code execution (RCE).

The vulnerability impacts Linux distributions that rely on versions 5.6.0 and 5.6.1 XZ Utils for data compression including Fedora 40/41, Rawhide, Arch Linux, Debian Sid, Alpine Edge, openSUSE Tumbleweed, and openSUSE MicroOS.

Users are urged to revert to secure versions, like XZ Utils 5.4.6 Stable, and to conduct a thorough assessment to identify potential compromises. 

How can I assess my exposure to CVE-2024-3094?

In order to assess exposure to the CVE-2024-3094 vulnerability, and the risk it poses to your business operations, you need to find out:

  • Are there any vulnerable Linux servers in my environment?
    • To answer this I need to get information from my vulnerability scanners
  • What is the exploitability of this vulnerability?
    • To answer this I’ll go to NIST - As I’m writing the blog, there are no observed instances of exploitation involving this backdoor code. However, this can change.
  • Are these servers internet facing?
    • To answer this I need to use Shodan or similar tools
  • Are they protected by an EDR solution? Is it up-to-date?
    • I will need to confirm with my EDR solution
  • Do these servers host any sensitive data?
    • To answer this I’ll confirm with my DLP solution
  • Are these servers business critical? Which business processes are dependent on them?
    • I will need to find out if they are running business critical applications or services

Depending on the scope of my environment, this can be a daunting task. I will need to:

  1.  Access each of these solutions - assuming I have that access, if not I need to request for access or find someone who has access
  2. Run the relevant query to get the information I need - assuming I know how to run that query. If I don’t I might need to get help from someone.
  3. Consolidate the answers with previous query results - I will probably do this by the linux server identifier, but each system might use a different identifier. For example, in one system it could be the MAC address, and in others the Hostname.  Matching the results can take a while.

It can take days or even weeks to get the list of vulnerable servers...

Are you able to wait for days or even weeks to receive answers? - Remember, this is a critical RCE vulnerability. As I’m writing this blog, we haven’t seen any instances of exploitation involving this backdoor code - but that can change. Can you afford to take this risk?

 

Assessing Risk with Cyclops AI-Powered Risk Management Platform

The Cyclops platform continuously gathers cybersecurity data from the existing cybersecurity and IT technology stack of the organization and utilizes AI to quickly normalize, correlate, deduplicate and enrich the data with much needed context. The result is a comprehensive data fabric that enables further analysis and provides valuable insights regarding the current risk exposure. 

Cyclops search engine enables users to submit any question, including complex questions, and get answers within seconds. For example, if I want to know if my organization is exposed to CVE-2024-3094, all I need to do is ask - “Which of our production Linux servers us running a vulnerable version of XZ Utils?” and the platform will provide the answer within seconds:

image (9)

Submit the question in the search window… 

CVE Last

and get the answers in seconds!

You can see in the answer that the data was gathered from multiple sources - in this case SentinelOne, Automox and Netscope. 

I can see in the answers which of these servers is used in production, the deployment type, the department it belongs to and more. I can also dive deeper to find about related entities, users, other vulnerabilities, and more.

Cyclops customers can use the pre-built query in CyclopsIQ recommended queries to search for vulnerable instances in their environments.

Taking the Next Steps

Now that we know which servers are at risk, Cyclops can apply an automation workflow to opens a ticket with recommended next steps:

  • Follow CISA guidance to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0) 
  • Hunt for any malicious or suspicious activity on systems where affected versions have been installed

Conclusion

The Cyclops AI-Powered Risk Management Platform allows security teams to quickly answer their most complex security questions in order to identify exposures that can put the organization at risk, and proactively mitigate them.  

It eliminates the need for security practitioners to gain access to various solutions, develop the required expertise in each solution, and to process all the various data points manually - a daunting process that can take days or even weeks. Instead, it enables them to submit queries in free-text, and uses LLM to translate into the relevant queries and provide accurate answers within seconds. 

Automation workflows can be further applied to implement the next steps.

This empowers security teams to respond faster than ever to emerging threats, and protect their organizations more effectively than ever before.

Ready To See Cyclops In Action?    Sign Up for a Demo Here

Read more

In today's rapidly evolving threat landscape, organizations need to craft robust strategies to counter these threats. The potential ramifications of cyber attacks underscore the importance of taking...

April 15, 2024

We are excited to share that Cyclops now supports natural language search, to further empower SecOps professionals and enable a quicker, more effective way to get actionable insights.

January 25, 2024