How to Find the Backdoored XZ Package at Scale

Find the XZ critical vulnerability CVE-2024-3094 in your environment with Mondoo at scale. The open source tools: cnquery and cnspec. With cnquery's cloud-native asset inventory capabilities, you can detect all instances of the vulnerabilities across your entire infrastructure. Apply the patch to all affected assets and then use cnspec to ensure that no installations with this vulnerability ever go to production again.

On March 29th, it was reported that malicious code had been discovered in the widely used package XZ Utils, which is present in major Linux distributions. This code enabled unauthorized remote SSH access. The GitHub project that initially hosted this package is now suspended. Fortunately, the open-source software (OSS) community detected the malicious code quickly. It only affected the most recent versions of the package, 5.6.0 and 5.6.1, which were released within the past month. The stable versions of most Linux distributions were not impacted.

The malicious payload that came with the affected versions of XZ Utils was sophisticated. It ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server. This allowed specific remote attackers, who own a specific private key, to send arbitrary payloads through SSH. These payloads were executed before the authentication step, which effectively hijacked the entire victim machine.

This supply chain attack came as a shock to the OSS community because XZ Utils was considered a trusted and scrutinized project. The attacker built up a credible reputation as an OSS developer over the span of multiple years. They also used highly obfuscated code to evade detection by code reviews. Following our initial research communication, this post will detail the fundamentals and impact of this attack.

How can I completely inventory all assets in a multi-cloud or hybrid-cloud environment?

The Unified Security Posture Management (USPM) approach, in combination with the Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.

If you have not yet installed cnquery, follow our instructions. Once you've installed it, you can gather information about installed packages from a container image with our open-source query-packs.

cnquery scan container 28f36ff61e16 -f cnquery-packs/core/mondoo-linux-incident-response.mql.yaml -o yaml

You can also scan a remote target via ssh:

cnquery scan ssh user@ -f cnquery-packs/core/mondoo-linux-incident-response.mql.yaml -o yaml

How can we guarantee to eliminate the possibility of any new installations that are vulnerable to the XZ vulnerability (CVE-2024-3094) ever reaching the production environment?

After patching all identified systems, validate that no new systems use affected versions of XZ with the policy added to cnspec.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

You can also scan a remote target via ssh:

cnspec scan container 28f36ff61e16 -f cnspec-policies/core/mondoo-xz-vulnerability.mql.yaml
→ loaded configuration from /Users/atomic111/.config/mondoo/mondoo.yml using source default
→ using service account credentials
! Scanning with local bundles will switch into --incognito mode by default. Your results will not be sent upstream.
→ discover related assets for 1 asset(s)
 28f36ff61e16 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: F
Asset: 28f36ff61e16

✕ Fail:         Ensure no backdoored xz libs are installed

Scanned 1 asset
Debian GNU/Linux trixie/sid
    F [0/100]   28f36ff61e16

If you have a large infrastructure and need quick results, use our Mondoo platform to identify problem areas within minutes.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

You might also like

Mondoo April 2024 Release Highlights
Exploring the Latest Security Features in Ubuntu 24.04
Mondoo Firewatch