Responding to Common Vulnerability Exposure CVE-2024-3094

by Tarek Chalaan, on 06/05/2024 10:53:08 AM

Today we Investigate CVE-2024-3094, a vulnerability discovered by developer Andres Freund while dissecting SSH performance failures. If gone undetected, this vulnerability could have led to a global cyber outbreak. In this technical article, we dive into the depths of this security flaw, investigating its implications. Furthermore, we offer insights into the mitigation strategies prepared by the SOC team, in collaboration with Sumo Logic, our esteemed partner in this domain.

Email Correspondence between Andres Freund and Open Wall

Email correspondence between Andrew Freund and Open Wall

What is CVE-2024-3094?  

Understanding the nature and scope of CVE-2024-3094 is essential in fortifying our defenses against potential exploitation. Andre’s findings uncovered a critical security vulnerability that targeted Linux distributions utilising specific versions of the XZ compression library (5.6.0 and 5.6.1). If exploited, this vulnerability could have led to unauthorized access, data exfiltration or even complete system compromise. 

This vulnerability exploits weaknesses within the XZ compression utility by specifically targeting the liblzma library. By leveraging certain function signatures within the XZ utility, attackers can execute arbitrary code and gain elevated privileges on compromised systems with an embedded hardcoded ssh key to perform exploitations.

CVE Impact
  1. Remote Code Execution (RCE): An attacker can exploit this vulnerability to remotely execute malicious code on the victim's machine.
  2. Widespread Impact: XZ Utils are pre-installed on most Linux distributions, making a vast number of systems potentially vulnerable
Security Centric SOC Response

The Security Centric Security Operations Centers (SOC) serve as the frontline defenders against cyber threats to protect our clients. The SOC team played a pivotal role in mitigating and detecting CVE-2024-3094 by applying the following measures:

1. Proactive Monitoring: By leveraging the advanced detection mechanisms, such as Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) platform, our SOC analysts are continuously monitoring the network traffic and system logs for any signs of exploitation attempts related to CVE-2024-3094. To enhance the detection capability Security Centric SOC team deployed the Sumo Logic CSE detection rule that detect post-compromise activity related to xz utils but is also not just specific for this vulnerability.

metadata_product="*" and (

(parentBaseImage="*/sshd" and commandLine IN ("bash -c*", "sh -c*") and user_username="root") or (parentBaseImage="*/sshd" and baseImage="*/sshd" and user_username="sshd")

)

 

2. Incident Response: In the event of a suspected incident, the SOC team swiftly initiates incident response procedures. Our SOC team incorporated the below Yara rule within the environment to detect this vulnerability via our scanners and through passive Sumo Logic networks sensors:

rule liblzma_vulnerability

{

   meta:

       description = "Function signature detection in liblzma used by sshd indicating any potential systems compromised"

       author = "SOC Team"

       reference = "YaraGen-CVE-2024-3094"

   strings:

       $signature = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 }

   condition:

       $signature

}

 

3. Vulnerability Management: Collaboration between SOC personnel, system administrators, and IT teams is essential in prioritising and remedying vulnerabilities. Through effective patch management and vulnerability scanning processes, organisations can strengthen their resilience against CVE-2024-3094 and similar threats. IIf you don’t have an automated vulnerability management system in place Sumo Logic team provides a practical solution in a blog written by Anton Ovrutsky, Senior Threat Research Engineer at SUMO Logic, explains how customers without existing vulnerability scanning appliances, or those seeking to perform an ad-hoc or secondary scan on sensitive hosts, can utilize Software Bill of Materials (SBOM) tools to confirm the presence of vulnerable versions of XZ utils. 

Praveen John Kumar, APJ Regional Architect, Sumo Logic says “While there's information about exploitation, it's advised to identify and upgrade vulnerable versions promptly. The piece provides insights into using Software Bill of Materials (SBOM) tooling like Distro2Sbom to identify vulnerable versions of XZ Utils across environments. It outlines steps for installation and usage of the tool, as well as how to ingest SBOM JSON files into Sumo Logic for analysis. A query example is provided to identify vulnerable hosts, and actions like patching or adding hosts to Cloud SIEM for closer monitoring are discussed. The article concludes by highlighting the importance of this method for inventory management and leveraging Cloud SIEM features for enhanced security monitoring. References and further reading materials are also provided for additional context and resources.”

Please refer to all details via this link: Here

Image 1 - Extract the host name information from the source file name and display the results.

Image 2 - Example of Cloud SIEM First Seen rule

To simply detect if your system is vulnerable, Security Centric also provides a simple script at github.com/SOC-SC/XZ-Response

Proof of Concept (POC)

Once the script has been downloaded from the SOC’s Github repo, simply execute the shell script sc.sh.

Image 3 – Simple bash script executed on Kali Linux vulnerable to CVE-2024-3094

Mitigation

Mitigating CVE-2024-3094 requires a proactive approach and organisations must take immediate steps to fortify their defenses against this looming threat:

  1. Update XZ Utility: The first line of defense lies in ensuring that the XZ utility on all systems is running a version that is not vulnerable to CVE-2024-3094. If running a vulnerable version, downgrade or revert the XZ Utility to version to 5.4.x until a patch is not installed.
  2. Monitor System Libraries: Implement robust monitoring mechanisms to detect any anomalies or suspicious activities related to system libraries, particularly the implicated liblzma. Timely detection can be the difference between prevention and exploitation.
  3. Harden SSH Configuration: As CVE-2024-3094 has implications for SSH servers, organizations should consider implementing stringent configurations to bolster their defenses. Limiting access and minimising the attack surface can significantly mitigate the risk of exploitation.
  4. Implement Access Controls: Restrict access to vulnerable systems and sensitive resources through robust access controls and least privilege principles. By limiting access to only authorized users and applications, organizations can mitigate the risk of exploitation.
  5. Conduct Regular Vulnerability Scans: Employ automated vulnerability scanning tools to regularly assess systems for potential vulnerabilities, including CVE-2024-3094 and patch vulnerabilities identified.
  6. Enhance Logging and Monitoring: Implement comprehensive logging and monitoring solutions such as Sumo Logic to detect and respond to suspicious activities indicative of CVE-2024-3094 exploitation attempts. Real-time monitoring of system logs and network traffic can facilitate early detection and mitigation.
  7. Strengthen Incident Response Procedures: Regularly test incident response procedures. Establish a clear escalation path, communication protocols, and containment measures to minimise the impact of potential incidents.

Conclusion

The emergence of CVE-2024-3094 raises concerns about open source applications deployed in our environment. One of these concerns is  about the open-source applications safety usage without security testing during “CICD”.   The absence of such processes can lead to possible vulnerabilities. By embracing a proactive approach such as code review like SAST, vulnerability scanning, penetration testing, security monitoring, threat hunting and incident response via collaboration with the expertise of Security Centric team, and deploying resilient mitigation strategies, organisations can strength their defenses and confidently navigate the ever-evolving threat landscape.


References


About the authors

Tarek Chaalan - Security Centric

Screenshot 2024-01-17 111539

SOC manager at Security Centric with a career in cyber security, focusing on safeguarding large corporate networks from sophisticated cyber threats. He has a deep background in software engineering, development, machine learning, and cybersecurity. His impactful work in threat intelligence has elevated his previous employer, to a prominent status in the APAC region, and secured their spot in a major U.S.-based Threat Intelligence Alliance. Tarek is now advancing his expertise as a first-year PhD student at the Internet Commerce Security Laboratory (ICSL) at Federation University. His research aims at enhancing the security of machine learning models against adversarial attacks. His latest paper, "The Path to Defense: A Roadmap to Characterizing Data Poisoning Attacks on Victim Models," featured in the ACM Computing Surveys. Tarek gave a presentation at the ICMCIS 2023 - STO NATO Science and Technology Conference on malware visualisation within deep learning frameworks.

Praveen John Kumar - Sumo Logic

Praveen John235

A technologist thought leader helping organisations with their Digital Transformation, cyber security, AI/ML and Observability. Both a big picture thinker and an in-depth problem solver. 16+ years of experience in technical sales engineering, consulting both direct and indirect channel.
Proven track record of success in leading and experience in a leadership role across Partner/ Alliance, Solution Sales & Strategy, Consulting, Professional Services, Education, Pre-sales and Technical Support. Deep understanding of the technology industry, Strong communication and presentation skills. Ability to build and maintain relationships with key stakeholders, Ability to think strategically and drive innovation. Design and build components of enterprise applications and provide consultative guidance for Asia’s leading organisations. Lead aspects of Solution design, development and mentoring of resources. Specialist in Observability, Cyber Security and Cloud Technologies, Business Process Management (BPM), DevOps, Continuous Testing, Continuous Delivery, API management, Robotic Process Automation (RPA ), Artificial Intelligence (AI).

 

Comments

Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates