Detecting XZ Utils vulnerability (CVE-2024-3094) with Wazuh

XZ Utils is a widely utilized suite of command-line tools for lossless data compression on virtually all Unix-like operating systems, including Linux. Among its prominent components are xz and lzma, useful in compressing files, distributing packages, and managing backups. 

Andres Freund discovered a backdoor within XZ Utils, specifically in the liblzma library, and reported it on the oss-security mailing list on March 29, 2024. Designated as  CVE-2024-3094, the vulnerability carries a CVSS score of 10, highlighting its critical impact. The vulnerability originated from a carefully orchestrated supply chain attack, where an adversary compromised the upstream source code repository of the XZ project, discreetly implanting the backdoor into the tarballs. The impacted versions are 5.6.0 and 5.6.1.

Notably, the vulnerability has a pronounced effect on SSH, potentially enabling unauthorized remote code execution (RCE) via SSH. This presents a substantial security risk given the widespread use of SSH for secure remote administration of Linux endpoints.

As confirmed by vendors themselves, the following Linux distributions are affected by CVE-2024-3094:

• Fedora 40 and 41
• Debian unstable (Sid)
• openSUSE Tumbleweed and MicroOS 
• Kali Linux
• Arch Linux
• Alpine Edge

While other distributions may potentially be impacted, these versions have been officially recognized as vulnerable by their respective vendors.

Scan for vulnerable packages with Wazuh

The Wazuh Vulnerability Detector module enables the identification of vulnerabilities in software and operating systems. It does this by comparing installed software versions against known vulnerabilities sourced from various databases. These databases include the National Vulnerability Database (NVD), Canonical, Red Hat, Debian, Arch Linux, and several others. Wazuh collects data on software versions from monitored systems, assesses them against the vulnerability database, and generates alerts when matches are found. The alerts contain details about the affected endpoints, software versions, and the severity ratings.

Requirements

You need to fulfill the following requirements to scan endpoints for vulnerabilities:

• An existing deployment of the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow the Virtual Machine (OVA) – Installation guide to download and set up the Wazuh virtual machine.
• Install the Wazuh agent on your Linux endpoints.

Wazuh server configuration

Perform the following steps on the Wazuh server to enable vulnerability scanning of monitored endpoints:

1. Enable the Vulnerability Detector module by modifying the Wazuh server configuration file at /var/ossec/etc/ossec.conf. Set the value for the <enabled> tag to yes for the Vulnerability Detector module and for every operating system you intend to scan. You can also enable scans for operating systems that are not listed in the configuration file by following the scanning unsupported systems guide. Below is an example configuration enabling scans for Ubuntu, Debian, and Arch Linux:

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>yes</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <os>bookworm</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>yes</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <os>amazon-linux-2022</os>
      <os>amazon-linux-2023</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
      <enabled>yes</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Alma Linux OS vulnerabilities -->
    <provider name="almalinux">
      <enabled>yes</enabled>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

2. Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

It takes a couple of minutes for the Wazuh server to download the vulnerability feeds and start the scan. You can track the progress by checking the Wazuh server log file:

# tail -f /var/ossec/logs/ossec.log | grep vulnerability-detector

Visualizing vulnerability data on the Wazuh dashboard

Once vulnerable versions of the XZ Utility are detected on monitored endpoints, alerts will appear on the Security events tab of the Wazuh dashboard.

Additionally, you can navigate to Modules > Vulnerabilities on the Wazuh dashboard to visualize the vulnerability data for selected agents. In the example below, we visualize vulnerability data for the ArchLinux agent.

Additionally, you can enter the query cve=CVE-2024-3094 into the search bar to filter for the CVE-2024-3094 vulnerability as shown below:

Click on the vulnerability to expand the results and gain more insights as shown below.

Mitigation

There are two mitigation options: either downgrade to a version earlier than 5.6.0 or upgrade to a patched version later than 5.6.1. For a detailed guide on the most effective mitigation strategy, kindly consult your Linux distribution advisory.

Conclusion

The discovery of vulnerabilities within widely used software such as XZ Utils shows the importance of proactive security measures. By staying informed about potential threats and leveraging tools like Wazuh for automated vulnerability scanning, organizations can mitigate risks and safeguard their endpoints against exploitation. As demonstrated, the collaboration between security researchers, open source communities, and security platforms is crucial in maintaining the integrity of software ecosystems.

For queries regarding how to use Wazuh to detect this vulnerability or any other issues, feel free to reach out to the Wazuh community through any of its available channels.

References

• What we know about the xz Utils backdoor that almost infected the world
• Compress or decompress .xz and .lzma files
• NVD – CVE-2024-3094