XZ Utils CVE-2024-3094: Block and Remediate with Harness SSCA

XZ Backdoor Attack Overview

Package: XZ Utils (includes liblzma library)

Vulnerable versions:  5.6.0 and 5.6.1

Common Users: Most Linux distributions

Incident Date: March 29th, 2024 (discovered)

CVE: CVE-2024-3094

The Attack

On March 29th 2024, a critical vulnerability was discovered in XZ Utils, a widely used software utility on Linux systems. In specific cases, this critical flaw involved malicious code designed to grant unauthorized remote access via SSH. Fortunately, the issue was limited to the most recent versions, 5.6.0 and 5.6.1. The project's GitHub repository has been suspended due to the severity of the breach.

XZ compromise at a glance

1. Modifying the Build Process: The attackers snuck malicious code into the project's GitHub repository through a modified build script. This script wasn't present in the official release files.
2. Triggering Script: Specific test files within the project triggered the malicious script during the build process, injecting the backdoor code.
3. Exploiting glibc: The attackers took advantage of a mechanism called IFUNC in glibc to manipulate OpenSSH's authentication routines at runtime. This potentially allowed them to bypass authentication and gain control of affected systems.

While research continues, the above approach to compromise is thoroughly documented and detailed by Andres Freund and thesamesam/xz-backdoor.md.

Who is Affected by CVE-2024-3094

Repology's analysis indicates a significant number of Linux distributions could be at risk due to CVE-2024-3094. Here are a few linux distributions that announced their status and patch requirements.

• Fedora 41 and Rawhide distributions contain identified vulnerable packages. Red Hat urges users to stop using these immediately for security reasons. 
• In Debian's Testing, Unstable, and Experimental versions, vulnerable packages have been found. Although stable releases remain secure, users in these distributions should promptly update their xz-utils packages. 
• Kali Linux users who updated their system from March 26th to March 29th are at risk. Immediate updates are necessary for these installations, while those not updated before March 26th are safe.
• For openSUSE, SUSE has confirmed the vulnerability and released updates. Users should urgently apply these to ensure their system's safety. 
• For Alpine, edge (active development) branch is affected and needs an update to the latest version - 5.6.1-r2.

The vulnerable version of the XZ package, implicated in security concerns, was not found in several Linux distributions, including Amazon Linux, Ubuntu, and RHEL, among others.

How to Remediate CVE-2024-3094 using Harness Software Supply Chain Assurance (SSCA)

The primary defense against CVE-2024-3094 is to downgrade XZ Utils to the earlier version as soon as possible. Use your distribution's package manager to update your system immediately, making sure you are not using XZ 5.6.0 or 5.6.1

For you to perform the update immediately, you might need to identify affected deployments and configure your build system to block vulnerable packages, and track the progress of patching effectively.

This is where Harness SSCA comes in handy. Here's how Harness can help you take immediate action and respond effectively:

• Search for XZ utils in vulnerable artifacts: Harness SSCA leverages Software Bill of Materials (SBOMs) to pinpoint deployments using vulnerable XZ versions.
• Block Build Pipelines: Implement policies within your Build process to block the inclusion of vulnerable XZ versions.
• Track in existing deployed environments: Once vulnerable artifacts are identified, the Remediation Tracker within SSCA swiftly locates the deployments affected by these vulnerabilities. This streamlines the patching process by providing a clear list of deployments that require immediate attention.

Using Harness SSCA to Search for XZ Utils in your Artifacts

In events like these, when vulnerability scanners may lag in updating their databases, a Software Bill of Materials (SBOM) becomes an invaluable tool. SBOM provides a comprehensive inventory of every component within your software, detailing everything from its origins to the current package version. Having the capability to quickly review the SBOMs for all your software and accurately identify affected container images significantly enhances the efficiency and effectiveness of your response. 

The Artifact view in Harness SSCA can help you here to rightly point out all the artifacts that are using the XZ 5.6.0 or 5.6.1.

‍

Blocking XZ 5.6.0/1 Using Harness SSCA in Build Pipelines

Remediating vulnerable deployments is crucial, but preventing future occurrences is equally important. Here's how you can leverage Harness SSCA policies to strengthen your build process:

• Block Vulnerable Versions: Add specific vulnerable versions, such as XZ 5.6.0 and 5.6.1, to a deny list within your SSCA policy.
• Enforce Policy on Build SBOMs: This policy will be enforced against the Software Bill of Materials (SBOM) generated during the build process.
• Pipeline Block on Violations: If the build process attempts to use a blacklisted version, the pipeline will be blocked, preventing the deployment of vulnerable software.

By implementing these steps, you can ensure that your build process automatically flags and prevents the inclusion of known vulnerable components. This proactive approach significantly reduces the risk of pushing out vulnerable software.

Tracking XZ utils using Remediation Tracker in existing deployed environments for patching

Once you've identified vulnerable artifacts, the next step is to pinpoint the environments where they're deployed. This is where the Harness Remediation Tracker shines.

Remediation Tracker in Harness SSCA simplifies this process by leveraging defined remediation rules. Simply provide details of the affected component, and the tracker efficiently pulls out all deployments using that component. Additionally the integration with Jira enables you to swiftly initiate the patching process across all impacted environments. To learn more about the tracker creation, refer to the documentation on creating a remediation tracker

‍

‍

Furthermore, upon selecting an artifact the tracker fetches all the deployments that are affected by the vulnerability.

‍

Conclusion

As software supply chain attacks become more prevalent, securing your software delivery process is paramount. Harness SSCA empowers you to proactively combat these attacks. Leveraging SBOMs, SSCA pinpoints vulnerable artifacts within your deployments.  Furthermore, it efficiently tracks impacted deployments and enforces policies to block these vulnerable components.  This comprehensive approach grants you crucial visibility, streamlines remediation efforts, and ultimately safeguards the integrity of your software supply chain.