Coverage Released for XZ Utils Supply Chain Attack (CVE-2024-3094)

Summary

Tenable has developed and released asset detection, vulnerability detection and Indicator of Compromise (IoC)  plugins in response to the backdoor in XZ Utils, a widely used compression library found in multiple Linux distributions. The vulnerability is tracked as CVE-2024-3094 and CISA has issued an alert recommending that developers and users downgrade XZ Utils to an uncompromised version, such as XZ Utils 5.4.6 Stable. 

Impact

Tenable has developed an asset detection plugin (192709) that can be used by our customers to identify and enumerate instances of XZ Utils, vulnerable or not, anywhere in their environment.

We have also released a version check plugin, “XZ Utils 5.6.0 / 5.6.1 Liblzma Backdoor Check” (192737), that leverages the initial detection plugin and identifies XZ Utils versions 5.6.0 and 5.6.1 which are known to be potentially vulnerable. Note that this plugin is paranoid because not all instances of the affected versions of XZ Utils are known to be vulnerable to the backdoor. Please refer to the details in the plugin description, the included plugin links, and our Tenable Research FAQ for more information about this evolving vulnerability.

Finally, Tenable has provided an IoC Plugin, “Potential exposure to XZ Utils SSH Backdoor (CVE-2024-3094)” (192708), which leverages the publicly known indicator of compromise (IoC), coded in NASL, to facilitate scanning at scale with Tenable Products.

These three plugins can be used together to provide a comprehensive account of the XZ Utils installed footprint in customer environments and actionable advisement on where to target remediation efforts. 

Plugins

192709 - Tukaani XZ Utils Installed (Linux / Unix)

192737 - XZ Utils 5.6.0 / 5.6.1 Liblzma Backdoor Check

192708 - Potential exposure to XZ Utils SSH Backdoor (CVE-2024-3094)

Target Release Date

Immediate