Solved: Re: CVE-2024-3094 [CRITICAL Vulnerability Just Dis...

Blason_R · ‎2024-03-29

Hi All,

There has been a disclosure of a significant vulnerability in the Linux liblzma library a few hours back. Due to its widespread use across various Linux distributions. With a CVSS Score of 10, this vulnerability is considered highly critical.

At least I performed quick scan through firewall appliances for version R81, 81.10 and 81.20 and it seems xz version 5.2.5 which is not vulnerable.

command to run and find out the version is from expert mode

#xz -V

Here are few references:

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

https://access.redhat.com/security/cve/CVE-2024-3094

https://www.thestack.technology/malicious-linux-backdoor-cvss-10-cve-2024-3094/

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-uti...

https://www.gamingonlinux.com/2024/03/xz-tools-and-libraries-compromised-with-a-critical-issue/

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2024-04-01

Nm, just found the sk

Andy

https://support.checkpoint.com/results/sk/sk182161

View solution in original post

Chris_Atkinson · ‎2024-04-03

R81.20 is a minor version in this context, the IPS protection referenced became available in package 635242217.

CCSM R77/R80/ELITE

View solution in original post

the_rock · ‎2024-03-30

I see my IPS is updated in the lab, but that CVE does not show anywhwre within IPS protections.

[Expert@cpazurecluster1:0]# xz -V
xz (XZ Utils) 5.2.2
liblzma 5.2.2
[Expert@cpazurecluster1:0]#

Andy

Blason_R · ‎2024-03-30

It has recently been released; not even 12 hours have passed.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2024-03-30

K, got it.

Andy

JP_Rex · ‎2024-03-30

So far discovered Vulnerable versions are:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

2272210 – (CVE-2024-3094) CVE-2024-3094 xz: malicious code in distributed source (redhat.com)

genisis__ · ‎2024-03-31

Key thing here:
- Are Checkpoint products affected - Official statement

- Have IPS signatures been updated and the default set to block.

Bob_Zimmerman · ‎2024-03-31

I've checked firewalls, SmartCenters, and MDSs running R81.10 and R81.20 with various jumbos (up to R81.20 jumbo 53). All had XZ Utils version 5.2.2.

Only a handful of systems distributed XZ Utils 5.6.0 or 5.6.1. Most are either packaging systems mostly used by developers (such as Homebrew on macOS) or bleeding edge Linux distros (such as Debian Sid and Fedora 41 and Rawhide). This is a HUGE concern for developer workstations, and you may want to treat key material held on these workstations as compromised. Might be a problem for integration testing systems, but most aren't set up to be this aggressive about testing against new versions.

This exact backdoor is extremely unlikely to be a problem on production systems. It hasn't been in the code long enough. The way in which it was inserted, though, suggests well organized, patient attackers with plenty of resources (i.e, a state actor). As such, this exact backdoor is also extremely unlikely to be the only one they inserted.

the_rock · ‎2024-04-01

Just checked again after updating IPS manually, but still no entry for that CVE.

Andy

cavalli89 · ‎2024-04-01

I didn't find it either.

the_rock · ‎2024-04-01

I looked for sk about it, but could not locate one either.

Andy

the_rock · ‎2024-04-01

Nm, just found the sk

Andy

https://support.checkpoint.com/results/sk/sk182161

Chris_Atkinson · ‎2024-04-02

CPAI-2024-0162 - Check Point Software

CCSM R77/R80/ELITE

the_rock · ‎2024-04-02

Its good does not even mention R81.20, perfect.

Andy

Chris_Atkinson · ‎2024-04-03

R81.20 is a minor version in this context, the IPS protection referenced became available in package 635242217.

CCSM R77/R80/ELITE

G_W_Albrecht · ‎2024-04-09

There is a script to check for vulnerable versions - output on R81.20 follows:

Click to Expand

#!/bin/bash 
# script to detect CVE-2024-3094 
# original script: 
# https://www.openwall.com/lists/oss-security/2024/03/29/4 
# modified (fixed and features added) by cyclone 
# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh 
# tested on debian amd64 
# https://nvd.nist.gov/vuln/detail/CVE-2024-3094 
# https://github.com/advisories/GHSA-rxwq-x6h5-x525 
# v1.0.0; 2024-03-29 
# initial release 
# v1.0.1; 2024-03-29 
# https://github.com/cyclone-github/scripts/issues/1 
# https://github.com/cyclone-github/scripts/issues/2 
# https://github.com/cyclone-github/scripts/pull/3 
# v1.0.2; 2024-03-30 
# https://github.com/cyclone-github/scripts/issues/4 
set -eu 
echo "Checking system for CVE-2024-3094 Vulnerability..." 
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094" 
# find path to liblzma used by sshd 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
sshd_path=$(whereis -b sshd | awk '{print $2}') 
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
# or find path to liblzma used by xz 
# https://github.com/cyclone-github/scripts/issues/4 
if [ -z "$path" ]; then 
 xz_path=$(whereis -b xz | awk '{print $2}') 
 path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) 
fi 
if [ -z "$path" ]; then 
 echo 
 echo "Probably not vulnerable (liblzma not found)" 
 exit 
fi 
# check for function signature 
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 
echo 
echo "Checking for function signature in liblzma..." 
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then 
 echo "Function signature in liblzma: VULNERABLE" 
else 
 echo "Function signature in liblzma: OK" 
fi 
# check xz version 
echo 
echo "Checking xz version..." 
xz_version=$(xz --version | head -n1 | awk '{print $4}') 
if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then 
 echo "xz version $xz_version: VULNERABLE" 
else 
 echo "xz version $xz_version: OK" 
fi

#!/bin/bash # script to detect CVE-2024-3094 # original script: # https://www.openwall.com/lists/oss-security/2024/03/29/4 # modified (fixed and features added) by cyclone # https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh # tested on debian amd64 # https://nvd.nist.gov/vuln/detail/CVE-2024-3094 # https://github.com/advisories/GHSA-rxwq-x6h5-x525 # v1.0.0; 2024-03-29 # initial release # v1.0.1; 2024-03-29 # https://github.com/cyclone-github/scripts/issues/1 # https://github.com/cyclone-github/scripts/issues/2 # https://github.com/cyclone-github/scripts/pull/3 # v1.0.2; 2024-03-30 # https://github.com/cyclone-github/scripts/issues/4 set -eu echo "Checking system for CVE-2024-3094 Vulnerability..." echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094" # find path to liblzma used by sshd # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 sshd_path=$(whereis -b sshd | awk '{print $2}') path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) # or find path to liblzma used by xz # https://github.com/cyclone-github/scripts/issues/4 if [ -z "$path" ]; then xz_path=$(whereis -b xz | awk '{print $2}') path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) fi if [ -z "$path" ]; then echo echo "Probably not vulnerable (liblzma not found)" exit fi # check for function signature # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 echo echo "Checking for function signature in liblzma..." if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then echo "Function signature in liblzma: VULNERABLE" else echo "Function signature in liblzma: OK" fi # check xz version echo echo "Checking xz version..." xz_version=$(xz --version | head -n1 | awk '{print $4}') if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then echo "xz version $xz_version: VULNERABLE" else echo "xz version $xz_version: OK" fi

[Expert]# ./cvedetect.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2024-04-09

I got the same in the lab fw

[Expert@azurefw:0]# ./cvescript.sh
Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version...
xz version 5.2.2: OK
[Expert@azurefw:0]#

G_W_Albrecht · ‎2024-04-09

Not a surprise at all 🤣

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2024-04-09

No lol

I think all of them would show the same 🤣

Are you a member of CheckMates?

CVE-2024-3094 [CRITICAL Vulnerability Just Disclosed (CVSS-10)]