Wes Wharton’s Post

Urgent security alert 🛑 CVE-2024-3094 has shaken the open source community with its critical supply chain compromise, affecting XZ Utils and potentially enabling unauthorized access through SSH authentication bypass. The silver lining is that this brought some great research from the community. Get the details, and the technical analysis from the Vulcan Cyber research team and how to fix the CVE in our blog >> https://lnkd.in/dNn3xDgC

On March 29th, a security incident surfaced involving XZ Utils, a widely utilized data compression package integrated into major Linux distributions. Malicious code, allowing unauthorized remote SSH access, was discovered within versions 5.6.0 and 5.6.1 of XZ Utils. This exploit has been formally identified as CVE-2024-3094 and assigned a critical CVSS score of 10.  The Zscaler ThreatLabz team has deployed protection.! Read this interesting blog to see how to be protected.

This article has the most succinct timeline of events surrounding the XZ library backdoor that I have found. Would standard static code analysis tools have caught this? Perhaps not. In that case, this scenario brings to mind Bruce Schneier's quote, "You can't defend. You can't prevent. The only thing you can do is detect and respond." #cybersecurity #supplychain #cybernews

A recent threat brief from #paloaltonetworks #unit42 provides details and protections for CVE-2024-3094 reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Red Hat Linux flagged CVE-2024-3094 on March 28, 2024, with a severe CVSS score of 10. The vulnerability stems from a compromise in the supply chain, impacting the latest XZ tools and libraries. XZ Utils, integral to major Linux distributions, faces this security concern. To mitigate risks, CISA recommends reverting to an unaffected XZ Utils version (prior to 5.6.0). For more details, refer to the NIST CVE Details: https://buff.ly/4cGiIGG https://buff.ly/3vCqH6L.

Linux System ‘noexec’ Mount Flag Flaw Allows Malicious Code Execution A recent discovery in the Linux ecosystem has unveiled a method to bypass the ‘noexec’ mount flag, enabling malicious code execution on systems that were previously thought to be secure. This vulnerability exploits a combination of Linux system calls and process memory manipulation to execute binaries without touching the file system, a technique known as fileless execution. The ‘noexec’ mount flag is a security feature designed to prevent the execution of binaries on specific file systems, such as temporary file systems (tmpfs) like `/dev/shm`. However, researchers have found a way to circumvent this restriction by leveraging the `memfd_create` system call and modifying process memory through `/proc/self/mem`. Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

Balbix Guide to XZ Utils Backdoor – CVE-2024-3094 On March 29th, Andres Freund's curiousity about the 500ms latency spike in his SSH sessions led to the discovery of the XZ backdoor. Since then, XZ is a core upstream package for many Linux distributions, without his early discovery, this would have been one of the most dangerous backdoors ever-built. In this blog, we first examine Tan's complex cyber operation leading to the XZ backdoor, and then we explore what we can do, to better prepare ourselves. Let’s face it, make no mistake, such attacks, employing the TTPs of nation-state threat actors, are likely to increase in a turbulent world. Maybe next time, we won't be quite so fortunate. #ttp #cyberattacks #linux #secops #securityoperations #cybersecurity https://lnkd.in/g9hxGF7Z

Five new flaws added to the “Known Exploited Vulnerabilities” (KEV) catalog that you should know about right away.

The maintainers of the #FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. #cybersecurity #patched #critical #vulnerability

🚨 Urgent Alert for Cybersecurity Professionals! 🚨 A critical vulnerability has been discovered in XZ Utils, posing a severe risk of Remote Code Execution (RCE). CVE-2024-3094 demands immediate attention from organizations relying on the XZ Utils Data compression library. Patching is paramount to safeguard against potential exploits. 🧙♂️ Our amazing thread research team Merav Bar, Amitai Cohen, Danielle Aminov, Alon Schindel , has been instrumental in uncovering and understanding this threat. Their tireless efforts have enabled our Wiz customers to access essential resources through the Wiz Threat Center. Utilizing the Wiz SBOM capability and the Wiz vulnerability management, customers can quickly search for instances vulnerable to CVE-2024-3094, streamlining the mitigation process. For more insights and steps, check their blog post for comprehensive details on CVE-2024-3094 and fortifying defenses. 🔐 Stay vigilant, stay secure. #CyberSecurity #VulnerabilityManagement #PatchNow #wiz https://lnkd.in/dWUiasrv

Another supply chain attack, CVE-2024-3094, with a backdoor implanted in a widely used package for compression, XZ Utils, but no traces of exploits yet. A delay of 5ms in the #SSH process revealed this backdoor by a researcher; otherwise, there would be chaos after a few years. This shows how essential a #telemetry with a baseline is and highlights the need for defense-in-depth. Things you need to consider for #remediation : - Repave any Container deployments using #Arch Linux from Feb 24, 2024, and #Alpine from Feb 1, 2024. - Inventory the number of users on #Debian unstable branches and #Fedora, as these users will always be at increased risk of bleeding edge backdoors like this. - Ensure your teams are aware that #SAST and #DAST are unlikely to catch software backdoors like this, and, if necessary, re-evaluate your threat model in light of this. - Review your #Firewall rules as they pertain to SSH; when firewall rules are properly configured, even organizations with vulnerable #Linux instances would be highly unlikely to be exploited. A well-written article on this CVE: https://lnkd.in/gc5U2KAS Researcher Note: https://lnkd.in/gtT3UZnF #CyberSecurity #XZ #SupplyChainAttack #ThreatIntelligence #VulnerabilityManagement #Security