Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894

On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.

#CVE_2024_3094 #xz #xzbackdoor #supplychainattack

Kaspersky provides a timeline of events leading to the discovery of the backdoor in XZ Utils data compression library which is included in Linux distributions. They offer an analysis of Stage 1 (the modified build-to-host script), Stage 2 (injected shell script) and Stage 3 (backdoor extraction). Kaspersky also provides backdoor code analysis and explanation of system checks and structure. IOC and Yara rules provided. 🔗 https://securelist.com/xz-backdoor-story-part-1/112354/

cc: @shellsharks

#CVE_2024_3094 #xz #xzbackdoor #supplychainattack

Phylum warns that the distribution v0.3.2 for liblzma hosted on crates.io contained test files for XZ which contain the backdoor. While affected versions of the liblzma and liblzma-sys crates were yanked from crates.io, the crates were downloaded over 5,000 times.🔗 https://blog.phylum.io/rust-crate-shipping-xz-backdoor/ cc: @shellsharks

#xz #XZbackdoor #cve_2024_3094 #supplychainattack

SentinelOne has a technical breakdown of the XZ backdoor: Initial setup, stage 1 payload (system checks and extraction) and stage 2 payload (injecting the backdoor). They provide an analysis of the attack execution, and briefly touch on attribution. IOC are included. 🔗 https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/

#xz #CVE_2024_3094 #supplychainattack #xzbackdoor #thratintel #IOC

Uptycs posts a comprehensive guide on the XZ Utils vulnerability CVE-2024-3094. This is the first guide I've seen with SHA256 hashes. 🔗 https://www.uptycs.com/blog/xz-utils-backdoor-vulnerability-cve-2024-3094

#xz #cve_2024_3094 #supplychainattack

reflections on distrusting xz

"Was the ssh backdoor the only goal that "Jia Tan" was pursuing with their multi-year operation against xz?

I doubt it, and if not, then every fix so far has been incomplete, because everything is still running code written by that entity."
https://joeyh.name/blog/entry/reflections_on_distrusting_xz/
#xz #XzBackdoor #xzorcist #cve_2024_3094

New York Times: "Did One Guy Just Stop a Huge Cyberattack?" See how a Microsoft engineer gained instant stardom using this one weird trick! (only because ssh was running 500ms slower) 🔗 https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
Congratulations on your newfound fame (and thank you, sincerely) @AndresFreundTec

#xz #CVE_2024_3094 #supplychainattack

The CEO of Phylum talks about the background of the XZ compromise and backdoor, and the challenges of open source software supply chain security. 🔗 https://blog.phylum.io/xz-liblzma-backdoor-supply-chain-attack/

#cve_2024_3094 #xz #supplychainattack

One thing I haven't seen stated explicitly about #CVE_2024_3094: The engineer who found this is a Microsoft employee. Does that mean Microsoft runs the vulnerable configuration? Given that it isn't that common, could we reasonably deduce that Microsoft was a target?

Update: No; I'm just slow.

I misunderstood the nature of the systemd-ssh injection, which would have impacted any distro using systemd and sshd.

Microsoft tech community has a Frequently Asked Questions and guidance for the XZ Utils backdoor (CVE-2024-3094). They provide guidance on using Microsoft products to assess exposure to CVE_2024-3094, e.g. Microsoft Defender Vulnerability Management, and Defender for Cloud and advanced hunting queries.🔗 https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961

#CVE_2024_3094 #xz #supplychainattack

Akamai also has a resource guide for xz and CVE-2024-3094. Mitigation actions would be to downgrade to an uncompromised version, such as XZ Utils 5.4.6 Stable. Detection queries are provided. 🔗 https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

#CVE_2024_3094 #xz #supplychainattack

Regarding xz and CVE-2024-3094, Tenable has a list of affected Linux distributions updated 01 April 2024: 🔗 https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils

• Fedora Rawhide
  
• Fedora 40 Beta (All Fedora 40 beta users are encouraged to revert to 5.4.x versions of XZ.)
• Fedora 41
• Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1
• openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and March 28)
• Kali Linux (between March 26 and March 28)
• Arch Linux
  • installation medium 2024.03.01
  • virtual machine images 20240301.218094 and 20240315.221711
  • container images created between and including 2024-02-24 and 2024-03-28

#CVE_2024_3094 #xz #Linux #supplychainattack

Zscaler security alert on CVE-2024-3094 was more comprehensive than I expected. They provide background information on xz, affected versions, technical details, and recommendations/detection: 🔗 https://www.zscaler.com/blogs/security-research/cve-advisory-cve-2024-3094-security-compromise-xz-utils

#cve_2024_3094 #xz #supplychainattack

Palo Alto Networks has determined that none of their products are affected by CVE-2024-3094 (10.0 critical, disclosed 29 March 2024 as malicious code in xz utils). 🔗 https://security.paloaltonetworks.com/CVE-2024-3094

#CVE_2024_3094 #xz #supplychainattack

Aqua includes their own security alert on CVE-2024-3094: Newly Discovered Backdoor in XZ tools. They also link the timeline provided by Evan Boehs. 🔗 https://www.aquasec.com/blog/cve-2024-3094-newly-discovered-backdoor-in-xz-tools/

#CVE_2024_3094 #xz #supplychainattack

@bojanz of SANS ISC highlights portions of the xz backdoor: strings are all obfuscated, anti-debugging checks, and collection of valid usernames and IP addresses. 🔗 https://isc.sans.edu/diary/rss/30802

#cve_2024_3094 #xz #supplychainattack #threatintel

Rapid7 provides a security alert on Backdoored XZ Utils (CVE-2024-3094), identifying which distributions are affected and which are not. 🔗 https://www.rapid7.com/blog/post/2024/04/01/etr-backdoored-xz-utils-cve-2024-3094/

#CVE_2024_3094 #xz #supplychainattack

https://t.co/l1bAxqKnd7
https://t.co/tMp1i0UNlo

#vulnerability #assbleed #cve_2024_3094

Joli! rétro-ingénierie du backdoor dans libxzma par @amlw 🙏
Remplacement de la clé de chiffrement et démo de fonctionnement.

Bonus: Honeypot 🔥
👇
https://github.com/amlweems/xzbot

#CVE_2024_3094

Here's an exploit demo (yes, really) for the xz backdoor:

github.com/amlweems/xzbot

#CVE_2024_3094