CVE-2024-3094: Managed Threat Hunting Queries en CORTEX

Investigadores de la Open Source Security Foundation han encontrado una puerta trasera (o backdoor) en XZ Utils, una herramienta de compresión ampliamente usada en las distribuciones hashtagLinux, incluyendo las de hashtagRedHat y hashtagDebian.

El código malicioso fue introducido en las versiones 5.6.0 y 5.6.1 de XZ Utils, pero no se tiene constancia de que se hayan incorporado a ninguna versión de las principales distribuciones. Sin embargo, es posible que esté presente en versiones de prueba o experimentales.

La situación podría haber sido extremadamente grave si tenemos en cuenta que Linux es un sistema ampliamente usado en los servidores de Internet.

Versiones afectadas y medidas de mitigación

Las principales distribuciones de Linux recomiendan volver a versiones anteriores a la inclusión de XZ Utils 5.6.0 y 5.6.1 o migrar a versiones actualizadas.

Recomendable consultar la página de notificación de su distribución específica para actualizaciones adicionales y orientación.

Distro Affected Version
Red Hat Fedora Linux 40 and Fedora Rawhide
Debian No Debian stable versions are known to be affected.

 

Compromised packages were part of the Debian testing, unstable and

experimental distributions, with versions ranging from 5.5.1alpha-0.1

(uploaded on 2024-02-01), up to and including 5.6.1-1.

Kali The impact of this vulnerability affected Kali between March 26-29. If you updated your Kali installation on or after March 26, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before March 26, you are not affected by this backdoor vulnerability.
OpenSUSE OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th 2024.
Alpine 5.6 versions prior to 5.6.1-r2 
Arch
  • Installation medium 2024.03.01
  • Virtual machine images 20240301.218094 and 20240315.221711
  • Container images created between and including 2024-02-24 and 2024-03-28

//This query searches for XZ Utils versions 5.6.0 or 5.6.1, requires the Host Insights module. config case_sensitive = false | preset = host_inventory_applications | filter (application_name contains "XZ-UTILS" AND version = "5.6.0") OR (application_name contains "XZ-UTILS" AND version = "5.6.1")

 

//This query aims to identify hosts running XZ Utils versions 5.6.0 or 5.6.1 that have received inbound SSH connections from external ip addresses, requires the Host Insights module.

 

config case_sensitive = false
| preset = host_inventory_applications
| filter (application_name contains «xz-util» AND version = «5.6.0») OR (application_name contains «xz-util» AND version = «5.6.1»)
| fields endpoint_name, application_name, version
| join type = left (
dataset = xdr_data 
| filter agent_os_type = ENUM.AGENT_OS_LINUX 
| filter event_type = ENUM.NETWORK
| filter actor_process_image_name in («ssh», «sshd»)
| filter action_remote_ip != null
| alter Ip_Address = action_remote_ip
| alter IP_Address_Private = if (incidr(Ip_Address, «10.0.0.0/8») = true, «TRUE»,
    if (incidr(Ip_Address, «127.0.0.0/8») = true, «TRUE»,
    if (incidr(Ip_Address, «169.254.0.0/16») = true, «TRUE»,
    if (incidr(Ip_Address, «172.16.0.0/12») = true, «TRUE»,
    if (incidr(Ip_Address, «192.168.0.0/16») = true, «TRUE», 
    if (incidr6(Ip_Address, «fe80::/64») = true, «TRUE»,
    if (incidr6(Ip_Address, «::/128») = true, «TRUE»,
    if (incidr6(Ip_Address, «::1/128») = true, «TRUE»,
    if (incidr6(Ip_Address, «fc00::/7») = true, «TRUE», «FALSE»)))))))))
| filter (IP_Address_Private != «TRUE»)
| fields agent_hostname, actor_process_image_name, Ip_Address
) as ssh_network ssh_network.agent_hostname = endpoint_name
|dedup endpoint_name

 

Fuente de las queries