Pricing Login
Products

SaaS Log Analytics Platform

Monitor, troubleshoot and secure your apps

Learn more

Troubleshooting and Monitoring

Monitor and troubleshoot issues fast—at scale.

Learn more

Cloud Infrastructure Security

Quickly consolidate and identify risks and threats in your environment.

Learn more

Compliance and Audit

Prove your data is safe and compliant across all cloud and on-site setups.

Learn more

Cloud SIEM

Accelerate your incident investigations with enhanced visibility.

Learn more

PLATFORM CAPABILITIES

Solutions

Our approach resulted in a doubling of our log ingestion at an ingest cost increase of only 10%, saving us around $1 million.”

Iwan Eising

Team Lead of Service Reliability Architecture

Read case study

BY OBSERVABILITY USE CASE

BY SECURITY USE CASE

BY INITIATIVE

BY COMPETITION

Pricing
Docs
Resources

LEARN

ENGAGE

TRAIN

COMMUNITY

About
Support
Demo
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

April 1, 2024 By Anton Ovrutsky

Responding to CVE-2024-3094 - Supply chain compromise of XZ Utils

CVE-2024-3094


It seems as though responders cannot catch a break when it comes to 0-day vulnerabilities and supply chain compromise avenues. On March 29th, 2024, the Cybersecurity & Infrastructure Security Agency published an alert regarding a supply chain compromise of the XZ Utils package.

At time of writing, there is no information regarding exploitation of the vulnerability and follow-on post-compromise activity. However, it is still prudent and recommended to identify vulnerable versions of this package in your environment and upgrade as soon as possible.

Read on to learn how to accomplish this, and how the various features of Cloud SIEM can help security teams respond to this threat.

Identifying vulnerable XZ Utils versions

For customers who may not have a vulnerability scanning appliance in place or simply wish to perform an ad-hoc or secondary scan on sensitive hosts to confirm whether vulnerable versions of XZ utils exist, we can utilize Software Bill of Materials (SBOM) tooling.

One example of such tooling is Distro2Sbom. Let’s take a look at how this tool works and how it can work with Sumo Logic in order to find vulnerable XZ Utils across your environment.

We first need to install the tool with a simple PIP command: 

pip install distro2sbom

We can then go ahead and issue the below command, to find and catalog XZ Util package versions:

distro2sbom --distro auto --package xz-utils --format json --output-file "$(hostname -s).json"

The output of this command will be a JSON file named after the host on which it was run – the JSON structure (visualized with JSONCrack) will look something like this:

JSON structure (visualized with JSONCrack)

We can see the packages JSON element which contains a list of packages that make up the XZ-Utils binary. Most critical for us, the JSON element also contains the relevant version information for the package.

the packages JSON element which contains a list of packages that make up the XZ-Utils binary

In addition to this information, we also get information regarding the relationships between the various packages for further advanced analysis.

Information regarding the relationships between the various packages for further advanced analysis

Now that we have our JSON files containing SBOM information, targeting the XZ-Utils package specifically, we can transfer these JSON files to a centralized host with the Sumo Logic Collector installed.

As a next step, we’ll be ingesting these JSON files into the Sumo Logic platform for further analysis.

Our collection configuration will look like this:

Collection configuration

Once we have the files ingested, we can look at the following query:

_sourceCategory="SBOM" 
| json "packages[*].name" as package_name nodrop
| json "packages[*].versionInfo" as version_info nodrop 
| where jsonArrayContains(package_name,"xz-utils") and (jsonArrayContains(version_info,"5.6.0") OR jsonArrayContains(version_info,"5.6.1"))
| extract field=_sourcename "(?<hostname>([^\/]+)\/?).json" multi
//| values(hostname) as vulnerable_hosts by package_name,version_info
| values(package_name) as packages,values(version_info) as versions by hostname

In this query, we are extracting the package and package version information from our SBOM JSON file and are matching when the version is 5.6.0 or 5.6.1 which are currently the only two versions flagged as being malicious/backdoored.

We then extract the host name information from the source file name and display the results:

extract the host name information from the source file name and display the results

At this point, we have now identified which hosts contain the vulnerable package and we can proceed to patch and update the host.

If patching and updating is not an option due to system criticality or other factors, we can go ahead and add a list of vulnerable hosts to Cloud SIEM where we can perform an array of powerful actions, including utilizing UBA rules and other functionality to more closely monitor these vulnerable hosts.

An example here would be to utilize a Cloud SIEM First Seen rule to look for first seen SSH connections via AWS VPC Flow logs to hosts that contain the vulnerable package, an example of this type of rule would look like:

Utilize a Cloud SIEM First Seen rule to look for first seen SSH connections via AWS VPC Flow logs to hosts that contain the vulnerable package

Other platform features can be brought to bear to gain additional visibility into such vulnerable hosts as well, take a look at the link below for some examples:

Learn more about how to respond to remote service appliance vulnerabilities.

Now we know how to quickly gather a software bill of materials (SBOM) inventory from our fleet of hosts and analyze these data in the Sumo Logic platform.

This method prevents the need to execute the binary itself ( xv –version) to check the version information – a step that is obviously not ideal for a binary with a potential backdoor in it. It also prevents the need to parse output from various package managers. For users who are unable to patch their systems, you now have additional material that demonstrates some capabilities found in Cloud SIEM that can keep a closer eye on vulnerable systems.

References and further reading

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Start free trial

Categories

Spotlight

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Anton Ovrutsky

Senior Threat Research Engineer

Anton Ovrutsky leverages his 10+ years of expertise and experience as a BSides Toronto speaker, C3X volunteer, and an OSCE, OSCP, CISSP, CSSP and KCNA certificate holder in his role at Sumo Logic's Threat Labs. He enjoys the defensive aspects of cybersecurity and loves logs and queries. When not diving into the details of security, he enjoys listening to music and cycling.

More posts by Anton Ovrutsky.

People who read this also enjoyed

Blog

Splunk second thoughts? It’s time for the cloud-native alternative

Splunk is now a Cisco company. If you have second thoughts about working with them, discover why Sumo Logic is the best Splunk alternative. It’s time to go cloud native.

Blog

Hunt for cloud session anomalies with Cloud SIEM

Learn how to hunt for cloud session anomalies resulting from phishing attacks or stolen cloud credentials. Read how to threat hunt in a cloud-native world where the impossible is possible.

Blog

Guarding the game: securing digital playgrounds

You can’t play around with cybersecurity for esports. With the recent hack of a major tournament, the value and importance of security for digital experiences is even more crucial.