topic CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)] in General Topics

CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Blason_R — Sat, 30 Mar 2024 06:50:06 GMT

Hi All,

There has been a disclosure of a significant vulnerability in the Linux liblzma library a few hours back. Due to its widespread use across various Linux distributions. With a CVSS Score of 10, this vulnerability is considered highly critical.

At least I performed quick scan through firewall appliances for version R81, 81.10 and 81.20 and it seems xz version 5.2.5 which is not vulnerable.

command to run and find out the version is from expert mode

#xz -V

Here are few references:

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

https://access.redhat.com/security/cve/CVE-2024-3094

https://www.thestack.technology/malicious-linux-backdoor-cvss-10-cve-2024-3094/

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://www.gamingonlinux.com/2024/03/xz-tools-and-libraries-compromised-with-a-critical-issue/

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Sat, 30 Mar 2024 13:30:53 GMT

I see my IPS is updated in the lab, but that CVE does not show anywhwre within IPS protections.

[Expert@cpazurecluster1:0]# xz -V
xz (XZ Utils) 5.2.2
liblzma 5.2.2
[Expert@cpazurecluster1:0]#

Andy

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Blason_R — Sat, 30 Mar 2024 15:38:29 GMT

It has recently been released; not even 12 hours have passed.

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Sat, 30 Mar 2024 15:39:41 GMT

K, got it.

Andy

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

JP_Rex — Sun, 31 Mar 2024 06:29:37 GMT

So far discovered Vulnerable versions are:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

2272210 – (CVE-2024-3094) CVE-2024-3094 xz: malicious code in distributed source (redhat.com)

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

genisis__ — Sun, 31 Mar 2024 10:06:53 GMT

Key thing here:
- Are Checkpoint products affected - Official statement

- Have IPS signatures been updated and the default set to block.

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Bob_Zimmerman — Sun, 31 Mar 2024 15:04:18 GMT

I've checked firewalls, SmartCenters, and MDSs running R81.10 and R81.20 with various jumbos (up to R81.20 jumbo 53). All had XZ Utils version 5.2.2.

Only a handful of systems distributed XZ Utils 5.6.0 or 5.6.1. Most are either packaging systems mostly used by developers (such as Homebrew on macOS) or bleeding edge Linux distros (such as Debian Sid and Fedora 41 and Rawhide). This is a HUGE concern for developer workstations, and you may want to treat key material held on these workstations as compromised. Might be a problem for integration testing systems, but most aren't set up to be this aggressive about testing against new versions.

This exact backdoor is extremely unlikely to be a problem on production systems. It hasn't been in the code long enough. The way in which it was inserted, though, suggests well organized, patient attackers with plenty of resources (i.e, a state actor). As such, this exact backdoor is also extremely unlikely to be the only one they inserted.

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Mon, 01 Apr 2024 19:31:13 GMT

Just checked again after updating IPS manually, but still no entry for that CVE.

Andy

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

cavalli89 — Mon, 01 Apr 2024 20:11:18 GMT

I didn't find it either.

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Mon, 01 Apr 2024 20:12:14 GMT

I looked for sk about it, but could not locate one either.

Andy

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Mon, 01 Apr 2024 20:18:38 GMT

Nm, just found the sk

Andy

https://support.checkpoint.com/results/sk/sk182161

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Chris_Atkinson — Wed, 03 Apr 2024 00:15:47 GMT

CPAI-2024-0162 - Check Point Software

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Wed, 03 Apr 2024 00:57:58 GMT

Its good does not even mention R81.20, perfect.

Andy

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Chris_Atkinson — Wed, 03 Apr 2024 08:22:45 GMT

R81.20 is a minor version in this context, the IPS protection referenced became available in package 635242217.

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

G_W_Albrecht — Tue, 09 Apr 2024 07:53:29 GMT

There is a script to check for vulnerable versions - output on R81.20 follows:

#!/bin/bash 
# script to detect CVE-2024-3094 
# original script: 
# https://www.openwall.com/lists/oss-security/2024/03/29/4 
# modified (fixed and features added) by cyclone 
# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh 
# tested on debian amd64 
# https://nvd.nist.gov/vuln/detail/CVE-2024-3094 
# https://github.com/advisories/GHSA-rxwq-x6h5-x525 
# v1.0.0; 2024-03-29 
# initial release 
# v1.0.1; 2024-03-29 
# https://github.com/cyclone-github/scripts/issues/1 
# https://github.com/cyclone-github/scripts/issues/2 
# https://github.com/cyclone-github/scripts/pull/3 
# v1.0.2; 2024-03-30 
# https://github.com/cyclone-github/scripts/issues/4 
set -eu 
echo "Checking system for CVE-2024-3094 Vulnerability..." 
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094" 
# find path to liblzma used by sshd 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
sshd_path=$(whereis -b sshd | awk '{print $2}') 
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
# or find path to liblzma used by xz 
# https://github.com/cyclone-github/scripts/issues/4 
if [ -z "$path" ]; then 
 xz_path=$(whereis -b xz | awk '{print $2}') 
 path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
fi 
if [ -z "$path" ]; then 
 echo 
 echo "Probably not vulnerable (liblzma not found)" 
 exit 
fi 
# check for function signature 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
echo 
echo "Checking for function signature in liblzma..." 
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then 
 echo "Function signature in liblzma: VULNERABLE" 
else 
 echo "Function signature in liblzma: OK" 
fi 
# check xz version 
echo 
echo "Checking xz version..." 
xz_version=$(xz --version | head -n1 | awk '{print $4}') 
if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then 
 echo "xz version $xz_version: VULNERABLE" 
else 
 echo "xz version $xz_version: OK" 
fi

[Expert]# ./cvedetect.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Tue, 09 Apr 2024 11:24:03 GMT

I got the same in the lab fw

[Expert@azurefw:0]# ./cvescript.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK
[Expert@azurefw:0]#

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

G_W_Albrecht — Tue, 09 Apr 2024 11:26:31 GMT

Not a surprise at all 🤣

Re: CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

the_rock — Tue, 09 Apr 2024 11:52:43 GMT

No lol

I think all of them would show the same 🤣