This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2024-03-29 11:50 PM
Jump to solution

CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]

Hi All,

There has been a disclosure of a significant vulnerability in the Linux liblzma library a few hours back. Due to its widespread use across various Linux distributions. With a CVSS Score of 10this vulnerability is considered highly critical.

At least I performed quick scan through firewall appliances for version R81, 81.10 and 81.20 and it seems  xz version 5.2.5 which is not vulnerable.

command to run and find out the version is from expert mode

#xz -V

Here are few references: 

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

https://access.redhat.com/security/cve/CVE-2024-3094
https://www.thestack.technology/malicious-linux-backdoor-cvss-10-cve-2024-3094/
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-uti...
https://www.gamingonlinux.com/2024/03/xz-tools-and-libraries-compromised-with-a-critical-issue/
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2024-04-01 01:18 PM
In response to cavalli89
Jump to solution

Nm, just found the sk

Andy

https://support.checkpoint.com/results/sk/sk182161

View solution in original post

Chris_Atkinson
Employee Employee
Employee
‎2024-04-03 01:22 AM
In response to the_rock
Jump to solution

R81.20 is a minor version in this context, the IPS protection referenced became available in package 635242217.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
17 Replies
the_rock
Legend
Legend
‎2024-03-30 06:30 AM
Jump to solution

I see my IPS is updated in the lab, but that CVE does not show anywhwre within IPS protections.

[Expert@cpazurecluster1:0]# xz -V
xz (XZ Utils) 5.2.2
liblzma 5.2.2
[Expert@cpazurecluster1:0]#

Andy

Blason_R
Leader
Leader
‎2024-03-30 08:38 AM
In response to the_rock
Jump to solution

It has recently been released; not even 12 hours have passed.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2024-03-30 08:39 AM
In response to Blason_R
Jump to solution

K, got it.

Andy

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-03-30 11:29 PM
Jump to solution

So far discovered Vulnerable versions are:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

2272210 – (CVE-2024-3094) CVE-2024-3094 xz: malicious code in distributed source (redhat.com)

(1)
genisis__
Leader Leader
Leader
‎2024-03-31 03:06 AM
In response to JP_Rex
Jump to solution

Key thing here:
- Are Checkpoint products affected - Official statement

- Have IPS signatures been updated and the default set to block.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-31 08:04 AM
Jump to solution

I've checked firewalls, SmartCenters, and MDSs running R81.10 and R81.20 with various jumbos (up to R81.20 jumbo 53). All had XZ Utils version 5.2.2.

Only a handful of systems distributed XZ Utils 5.6.0 or 5.6.1. Most are either packaging systems mostly used by developers (such as Homebrew on macOS) or bleeding edge Linux distros (such as Debian Sid and Fedora 41 and Rawhide). This is a HUGE concern for developer workstations, and you may want to treat key material held on these workstations as compromised. Might be a problem for integration testing systems, but most aren't set up to be this aggressive about testing against new versions.

This exact backdoor is extremely unlikely to be a problem on production systems. It hasn't been in the code long enough. The way in which it was inserted, though, suggests well organized, patient attackers with plenty of resources (i.e, a state actor). As such, this exact backdoor is also extremely unlikely to be the only one they inserted.

0 Kudos
the_rock
Legend
Legend
‎2024-04-01 12:31 PM
Jump to solution

Just checked again after updating IPS manually, but still no entry for that CVE.

Andy

0 Kudos
cavalli89
Explorer
‎2024-04-01 01:11 PM
In response to the_rock
Jump to solution

I didn't find it either.

0 Kudos
the_rock
Legend
Legend
‎2024-04-01 01:12 PM
In response to cavalli89
Jump to solution

I looked for sk about it, but could not locate one either.

Andy

the_rock
Legend
Legend
‎2024-04-01 01:18 PM
In response to cavalli89
Jump to solution

Nm, just found the sk

Andy

https://support.checkpoint.com/results/sk/sk182161

Chris_Atkinson
Employee Employee
Employee
‎2024-04-02 05:15 PM
In response to the_rock
Jump to solution

CPAI-2024-0162 - Check Point Software

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2024-04-02 05:57 PM
In response to Chris_Atkinson
Jump to solution

Its good does not even mention R81.20, perfect.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-04-03 01:22 AM
In response to the_rock
Jump to solution

R81.20 is a minor version in this context, the IPS protection referenced became available in package 635242217.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-04-09 12:53 AM
Jump to solution

There is a script to check for vulnerable versions - output on R81.20 follows:

Click to Expand
#!/bin/bash 
# script to detect CVE-2024-3094 
# original script: 
# https://www.openwall.com/lists/oss-security/2024/03/29/4 
# modified (fixed and features added) by cyclone 
# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh 
# tested on debian amd64 
# https://nvd.nist.gov/vuln/detail/CVE-2024-3094 
# https://github.com/advisories/GHSA-rxwq-x6h5-x525 
# v1.0.0; 2024-03-29 
# initial release 
# v1.0.1; 2024-03-29 
# https://github.com/cyclone-github/scripts/issues/1 
# https://github.com/cyclone-github/scripts/issues/2 
# https://github.com/cyclone-github/scripts/pull/3 
# v1.0.2; 2024-03-30 
# https://github.com/cyclone-github/scripts/issues/4 
set -eu 
echo "Checking system for CVE-2024-3094 Vulnerability..." 
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094" 
# find path to liblzma used by sshd 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
sshd_path=$(whereis -b sshd | awk '{print $2}') 
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
# or find path to liblzma used by xz 
# https://github.com/cyclone-github/scripts/issues/4 
if [ -z "$path" ]; then 
 xz_path=$(whereis -b xz | awk '{print $2}') 
 path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
fi 
if [ -z "$path" ]; then 
 echo 
 echo "Probably not vulnerable (liblzma not found)" 
 exit 
fi 
# check for function signature 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
echo 
echo "Checking for function signature in liblzma..." 
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then 
 echo "Function signature in liblzma: VULNERABLE" 
else 
 echo "Function signature in liblzma: OK" 
fi 
# check xz version 
echo 
echo "Checking xz version..." 
xz_version=$(xz --version | head -n1 | awk '{print $4}') 
if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then 
 echo "xz version $xz_version: VULNERABLE" 
else 
 echo "xz version $xz_version: OK" 
fi

[Expert]# ./cvedetect.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2024-04-09 04:24 AM
In response to G_W_Albrecht
Jump to solution

I got the same in the lab fw

[Expert@azurefw:0]# ./cvescript.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK
[Expert@azurefw:0]#

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-04-09 04:26 AM
In response to the_rock
Jump to solution

Not a surprise at all 🤣

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2024-04-09 04:52 AM
In response to G_W_Albrecht
Jump to solution

No lol

I think all of them would show the same 🤣

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events