CVE-2024-3094: Using Axonius to Detect the Latest Supply Chain Compromise Affecting XZ Utilities

On March 29, 2024, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert on a supply chain compromise of the XZ libraries. The compromise is identified as CVE-2024-3094. The malicious code embedded in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized remote access to the affected systems.

Impact and Recommendations

Red Hat assigned CVE-2024-3094 has given a CVSSv3 score of 10.0. Per the National Institute of Standards and Technology’s (NIST) description of the CVE-2024-3094, "malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."

This list of operating systems and distributions that have been reported to be affected by this vulnerability include 

• Fedora 41 and Fedora Rawhide
• Debian from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1
• Kali Linux - Kali installations updated between March 26th and March 29th 
• OpenSUSE - openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup
• Gentoo - versions 5.6.0 and higher

The following Linux distributions are confirmed to not be affected: Fedora Linux 40, Red Hat Enterprise Linux (RHEL), Amazon Linux, SUSE Linux Enterprise and Leap.

CISA recommended developers and users downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable), hunt for any malicious activity, and report any positive findings to CISA. 

How Can Customers Use Axonius to Detect the Compromise 

The Axonius Platform helps identify, prioritize, and remediate vulnerabilities across all the digital infrastructure, providing context that helps prioritize their importance based on asset criticality — helping expedite patching and remediation processes. 

To identify instances of CVE-2024-3094, Axonius customers can start with the Assets section of the platform. By using a device query customers can identify the affected devices in the following ways: 

AQL: 

("specific_data.data.software_cves.cve_id" == "CVE-2024-3094")

AQL:  

("specific_data.data.installed_software" == match([("name" == regex("^xz", "i")) and ("version" == regex("^(\d+(?:\.)?\d+(?:\.)?\d+)$", "i")) and (not ("version_raw" < '00000000500000006')) and (not ("version_raw" > '0000000050000000600000002'))]))

("specific_data.data.os.distribution_name_preferred" == regex("rawhide", "i")) or ("specific_data.data.os.distribution_preferred" == regex("^fedora 40", "i")) or ("specific_data.data.os.distribution_preferred" == regex("^fedora 41", "i")) or ("specific_data.data.os.distribution_preferred" == "debian") or ("specific_data.data.os.distribution_preferred" == regex("opensuse", "i")) or ("specific_data.data.os.distribution_preferred" == regex("kali", "i"))

Using Axonius Software Management Module to Identify CVE-2024-3094

For a more accurate understanding of your exposure to CVE-2024-3094, we can use Axonius Software Management. 

Axonius Software Management, a module within Axonius Cybersecurity Asset Management, helps IT and security teams gain extensive software visibility by delivering a comprehensive inventory of all installed software applications. Axonius Software Management correlates software titles to provide a firm asset count and identify potential exposure based on software data.

In this instance in particular, we can use the module to identify assets with affected versions.

To identify instances of CVE-2024-3094, we’re going to look for all installed XZ software and any versions older than 5.6.0 but no later than 5.6.2.

AQL: 

{"software":"(\"specific_data.data.installed_software\" == match([(\"name\" == regex(\"^xz\", \"i\")) and (\"version\" == regex(\"^(\\d+(?:\\.)?\\d+(?:\\.)?\\d+)$\", \"i\")) and (not (\"version_raw\" < '00000000500000006')) and (not (\"version_raw\" > '0000000050000000600000002'))]))","devices":""}

Researching Reported CVE with the Axonius Vulnerability Management Module

The Axonius Vulnerability Management Module addresses vulnerability management issues head on. It delivers automated visibility into cybersecurity vulnerabilities, and offers a holistic view of threats, allowing IT and security teams to identify vulnerabilities across entire fleets of devices, and prioritize and remediate vulnerabilities based on their urgency and importance.

Axonius customers can use the Vulnerability Management module to identify instances of CVE-2024-3094

AQL:

("specific_data.data.cve_id" == "CVE-2024-3094")

AQL:

{"vulnerabilities":"(\"specific_data.data.cve_id\" == \"CVE-2024-3094\")","devices":""}

Using the module, customers can not only identify unique CVEs and the number of devices that are impacted by that particular threat but also get a better understanding of the overall risk exposure.

Automating Alerts with Axonius Findings

Axonius Findings supports all query and entity types - assets and system events. The Rules Manager allows customers to alert teammates, executives, other business units and collaborators, and more based on single query criteria thresholds, query comparison, or timeline comparisons. 

Axonius customers can set up alerts and leverage the Axonius Platform to help their remediation teams stay informed anytime new instances of affected versions are identified, and get notified via communication channels of their choice (E.g., e-mail, Slack, etc.).

For more documentation on using Axonius to find systems impacted by CVEs, visit docs.axonius.com.