Using Behavioral Runtime Analysis to Detect CVE-2024-3094

CVE-2024-3094, otherwise known as the XZ Backdoor software supply chain attack, is the most sophisticated social engineering attack on open source projects that we are aware of, to-date. Attackers masqueraded as as a maintainer of a popular open source project, XZ Utils, which is used broadly, and packaged malicious code in a software update, the goal being to take over remote code execution. The attack underscores the need to capture a profile of your environment before zero days occur, versus relying on reactive, signature-based detection or anomaly detection that cannot detect normal processes and programs that are used for malicious purposes.

*Update - the Open Source Security (OpenSSF) and OpenJS Foundations just issued an alert for social engineering takeovers of open source projects

What were the components of the attack? 

This was a long-term, planned attack that took advantage of multiple components, including XZ Utils, sshd, and glibc.

What is XZ Utils?

XZ Utils is a widely used tool on Linux systems to compress data like release tarballs (a compressed archive file), software packages, which is helpful in the process of backing up data and archiving files. It is based on the LZMA2 compression algorithm.

What is SSHD? 

Remote code execution on a machine, or encrypted communications over an insecure network, is possible through sshd, or the Secure Shell Daemon application (SSH daemon or sshd). Alternatives include rlogin and rsh.

What is glibc? 

glibc is a C library for Linux distributions, providing mostly low level functionality to the operating system. It provides an interface for system resources like files, networks and memory, so software can be more easily developed across different platforms. 

How does CVE-2024-3094 work?

The discovery of a sophisticated backdoor in XZ Utils, specifically targeting the liblzma component, has raised considerable alarms across the cybersecurity landscape. This meticulously crafted supply chain attack, unveiled in versions 5.6.0 and 5.6.1 of the software, serves as a stark reminder of the persistent threats lurking in open-source software distributions.

At the heart of this malicious endeavor is a deceptively inserted script within the distribution tarballs, not present in the genuine upstream source. This script executes under certain conditions during the build process, subtly altering the Makefile to execute obfuscated malicious code. The intricacy of this attack becomes evident through the injection of obfuscated scripts in test files, which, when decoded, reveal the attacker's intent to manipulate the building process for nefarious purposes.

This backdoor was ingeniously designed to trigger only under specific circumstances, targeting x86-64 Linux systems built with GCC and the GNU linker, and notably within Debian or RPM package builds. Its activation could significantly impact the performance of SSH logins, exploiting patched versions of OpenSSH to introduce delays, hinting at its operation.

Am I vulnerable and what should I do?

This attack relies on the following pre-requisites:

• Only activating on deb/rpm package builds
• You need to be running a distro that uses glibc (for IFUNC)
• If you're running a publicly accessible sshd, then you are - as a rule of thumb for those not wanting to read the rest here - likely vulnerable

Luckily, there have not yet been any reports of the exploit being utilized in the wild. You should definitely not update to the 5.6.0 and 5.6.1 latest versions - and if you did, the guidance is to downgrade to an un-compromised version.

Using RAD Security Behavioral Fingerprints to Detect and Respond to CVE-2024-3094

Such an intricate attack vector underscores the challenges in detecting and mitigating supply chain threats. However, a behavioral eBPF runtime security agent represents a beacon of hope in this scenario. By leveraging RAD Security’s deep observability capabilities across the Linux kernel, customers can detect anomalous behaviors indicative of a compromise.

For instance, unexpected modifications to the build process or the execution of obfuscated scripts would deviate from standard operation patterns, triggering alerts. Furthermore, RAD Security’s ability to monitor system calls in real-time allows for the detection of indirect indicators of compromise, such as the abnormal system resource consumption noted during SSH logins. If you had been using RAD fingerprints for sshd prior to the attack, you would have seen the drift. It would have looked like the example fingerprint below, in the case of the XZ Backdoor. Through comprehensive behavioral analysis, our drift detection engine can not only alert on these discrepancies but also help in unraveling the complex web of execution paths that a sophisticated backdoor might employ.

Drift Detection from XZ Backdoor Exploit

You can also use RAD's packages inventory page to find where XZ Utils is installed. Here you'll see which packages have been scanned that have CVEs, the version they're running, and the affected workload, and you can do a quick search.

XZ Utils in package inventory page

Conclusion

The XZ Utils backdoor incident illustrates the evolving complexity of supply chain attacks and the imperative need for advanced detection mechanisms. Behavioral eBPF runtime security remains a critical tool and necessary in the cybersecurity arsenal, offering the granular visibility and proactive threat detection necessary to counter these insidious threats effectively. As the cyber landscape continues to evolve, so must our approaches to securing it, with a keen focus on the behaviors that define normal and malicious activities alike.