A backdoor vulnerability (CVE-2024-3094) was recently discovered in the popular Linux compression utility xz and its complementary library liblzma. This backdoor was maliciously introduced by a trusted maintainer of the xz project over nearly two years, making it a concerning software supply chain attack. According to a report from Cybersecurity Ventures, the global annual cost of cybercrime is expected to reach $10.5 trillion by 2025, highlighting the urgency of addressing vulnerabilities like CVE-2024-3094.

Compromised Versions

The compromised versions of liblzma are v5.6.0 and v5.6.1. While these compromised versions have not yet made their way into stable releases of major Linux distributions, they were present in some testing and rolling-release variants, putting those systems at risk.

Source: JFrog

CVE-2024-3094 with CVE Score 10!

Very few vulnerabilities have a perfect 10 score…this is one of those.One notable exploit of this backdoor allows an attacker to gain unauthorized access to a system by bypassing SSH (OpenSSH) authentication, a critical security vulnerability.

Why is Runtime Security Critical?

To understand the importance of runtime security in this context, Let’s first understand how an executable might use liblzma as a dependency: 

1. Static linking – liblzma is imported and included at build time. 
2. Dynamic linking – The executable accesses the liblzma shared object (.so) file present on the system at runtime.

While static analysis tools can help detect issues with statically linked dependencies, they struggle to identify risks associated with dynamically linked libraries, as the specific version used can vary across systems and environments. This is where runtime security becomes crucial, as it allows for the detection and prevention of compromised library versions during execution.

AccuKnox Solution

AccuKnox is purpose-built to battle against such invasive threats. We secure across environments, from cloud to bare metal, at multiple stages, including:

1. Detecting the presence of compromised liblzma versions through vulnerability scanning.
2. Auditing and preventing access to compromised liblzma versions at runtime.
3. Monitoring and analyzing systems for any suspicious activity, even if they have already been compromised.

Securing SSH Access with AccuKnox

Consider the example of securing SSH access to compromised virtual machines (VMs). The OpenSSH server (sshd) is a prime example of an executable that dynamically links to liblzma at runtime. Powered by the open-source KubeArmor project, AccuKnox can monitor and report the behavior of applications and system processes running on Linux VMs or as containers in Kubernetes. This capability is invaluable for detecting if a running SSH process is accessing any infected versions of liblzma.

With KubeArmor’s inline mitigation approach, AccuKnox enforces user-defined rules to restrict these activities, effectively blocking access to the compromised liblzma shared object’s path.

Here’s a screengrab of a virtual machine with the compromised liblzma shared object.

Monitoring Capabilities

Once the VM is on boarded onto the AccuKnox SaaS platform and agents are running, they start monitoring file access, process execution, network access, and more. This monitoring is crucial for:

1. Detecting if a system is using compromised versions of libraries.
2. Identifying if a system has already been compromised and exhibiting unexpected activity.

If an attempt is made to access this VM over SSH, the liblzma version used by the sshd process would be detected and reported. The screenshot below shows the SSH process trying to access liblzma.so.5.6.0, the compromised version:

Auditing Capabilities

To further enhance security, AccuKnox allows the creation of policies to audit when any process tries to access the malicious liblzma.so, enabling administrators to take appropriate action and upgrade to a patched version of xz.

This is the sample policy used to enforce security

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-cve-2024-3094-xz-utils-v5-6-backdoor
spec:
  tags: ["CVE", "CVE-2024-3094", "remote-code-execution", "backdoor"]
  message: "Alert! A process accessed compromised versions of xz-utils and liblzma (v5.6.0, v5.6.1)."
  nodeSelector:
    matchLabels:
      # regex matching name of the VM that you want to secure
      kubearmor.io/hostname: xz-exploit-demo-vm
  file:
    # this will match any file containing liblzma.so.5.6.0 and audit
    # whenever a process tries to access it
    severity: 5
    matchPatterns:
    - path: "/**/liblzma.so.5.6.0.*"
    - path: "/**/liblzma.so.5.6.1.*"
    matchPaths:
    - path: /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.0
    - path: /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
    - path: /usr/lib/liblzma.so.5.6.0
    - path: /usr/lib/liblzma.so.5.6.1
  action: Audit

With this policy in place, users would still be able to access the VM, but an audit alert would be generated whenever a process attempts to access the compromised liblzma version.

Prevention Capabilities

AccuKnox can take a more proactive approach by preventing processes from accessing the compromised liblzma version altogether. To achieve this, the action in the policy can be changed from Audit to Block. However, it’s important to note that with this policy in effect, no one would be able to access the server over SSH until the server is updated to use a patched version of xz/liblzma. When attempting to access the server remotely with the “Block” policy in place, SSH fails. This is highlighted below.

This is how the alert looks on the AccuKnox Enterprise CNAAP dashboard:

Further Protection

The policy shown above is just an example from AccuKnox’s curated set of policy templates, which also includes hardening policies based on CVE databases, MITRE ATT&CK techniques, NIST controls, and more. Along with hardening policies, AccuKnox recommends implementing zero-trust policies based on your applications’ behavior, ensuring that processes in the system are granted the least privileged access necessary.

Takeaways

• CVE-2024-3094 is a critical vulnerability affecting v5.6.0 and v5.6.1 of xz/liblzma, as recognized by major advisory bodies.
• Currently, only rolling-release Linux distributions are affected by this vulnerability.
• Vulnerability scanning can be used to detect the presence of compromised versions within code and images.
• Most executables dynamically link to liblzma, making runtime security essential for detecting, auditing, and preventing the execution of dependents using compromised versions.
• Continuous runtime monitoring of systems can help detect any suspicious activity, whether compromised or not.

AccuKnox’s runtime security solution secures from code to cloud with a full security tooling suite with Enterprise protection standards. We defend against crypto-jacking, data science workload threats, escalated privilege access, and other cloud-native application threats for you to proactively identify and mitigate risks before they can be exploited.