On March 29th, it was reported that malicious code had been discovered in the widely used package XZ Utils, which is present in major Linux distributions. This code enabled unauthorized remote SSH access. The GitHub project that initially hosted this package is now suspended. Fortunately, the open-source software (OSS) community detected the malicious code quickly. It only affected the most recent versions of the package, 5.6.0 and 5.6.1, which were released within the past month. The stable versions of most Linux distributions were not impacted.
The malicious payload that came with the affected versions of XZ Utils was sophisticated. It ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server. This allowed specific remote attackers, who own a specific private key, to send arbitrary payloads through SSH. These payloads were executed before the authentication step, which effectively hijacked the entire victim machine.
This supply chain attack came as a shock to the OSS community because XZ Utils was considered a trusted and scrutinized project. The attacker built up a credible reputation as an OSS developer over the span of multiple years. They also used highly obfuscated code to evade detection by code reviews. Following our initial research communication, this post will detail the fundamentals and impact of this attack.
How can I completely inventory all assets in a multi-cloud or hybrid-cloud environment?
The Unified Security Posture Management (USPM) approach, in combination with the Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.
If you have not yet installed cnquery, follow our instructions. Once you've installed it, you can gather information about installed packages from a container image with our open-source query-packs.
cnquery scan container 28f36ff61e16 -f cnquery-packs/core/mondoo-linux-incident-response.mql.yaml -o yamlYou can also scan a remote target via ssh:
cnquery scan ssh user@192.169.1.1 -f cnquery-packs/core/mondoo-linux-incident-response.mql.yaml -o yamlHow can we guarantee to eliminate the possibility of any new installations that are vulnerable to the XZ vulnerability (CVE-2024-3094) ever reaching the production environment?
After patching all identified systems, validate that no new systems use affected versions of XZ with the policy added to cnspec.
Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.
You can also scan a remote target via ssh:
cnspec scan container 28f36ff61e16 -f cnspec-policies/core/mondoo-xz-vulnerability.mql.yaml
→ loaded configuration from /Users/atomic111/.config/mondoo/mondoo.yml using source default
→ using service account credentials
! Scanning with local bundles will switch into --incognito mode by default. Your results will not be sent upstream.
→ discover related assets for 1 asset(s)
28f36ff61e16 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: F
Asset: 28f36ff61e16
-------------------
Checks:
✕ Fail: Ensure no backdoored xz libs are installed
Scanned 1 asset
Debian GNU/Linux trixie/sid
F [0/100] 28f36ff61e16If you have a large infrastructure and need quick results, use our Mondoo platform to identify problem areas within minutes.
