www.accuknox.com
Open in
urlscan Pro
2606:4700:20::681a:647
Public Scan
URL:
https://www.accuknox.com/blog/cve-2024-3094-xz-liblzma-backdoor-attack-protection
Submission Tags: urlscan
Submission: On May 02 via api from US — Scanned from DE
Submission Tags: urlscan
Submission: On May 02 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://www.accuknox.com/
<form role="search" method="get" id="search-form" action="https://www.accuknox.com/">
<input type="search" value="" name="s" id="s" placeholder="Enter Search Keywords" required="">
<input type="hidden" id="searchsubmit" value="SEARCH">
<button type="submit"><svg width="43" height="42" viewBox="0 0 43 42" fill="none" xmlns="http://www.w3.org/2000/svg">
<rect width="43" height="42" rx="21" fill="#0044FE"></rect>
<path
d="M20.5 28C18.9667 28 17.5417 27.625 16.225 26.875C14.925 26.1083 13.8917 25.075 13.125 23.775C12.375 22.4583 12 21.0333 12 19.5C12 17.9667 12.375 16.55 13.125 15.25C13.8917 13.9333 14.925 12.9 16.225 12.15C17.5417 11.3833 18.9667 11 20.5 11C22.0333 11 23.45 11.3833 24.75 12.15C26.0667 12.9 27.1 13.9333 27.85 15.25C28.6167 16.55 29 17.9667 29 19.5C29 21.0333 28.6167 22.4583 27.85 23.775C27.1 25.075 26.0667 26.1083 24.75 26.875C23.45 27.625 22.0333 28 20.5 28ZM20.5 26C21.7333 26 22.8417 25.725 23.825 25.175C24.825 24.6083 25.6 23.8333 26.15 22.85C26.7167 21.85 27 20.7333 27 19.5C27 18.2667 26.7167 17.1583 26.15 16.175C25.6 15.175 24.825 14.4 23.825 13.85C22.8417 13.2833 21.7333 13 20.5 13C19.2667 13 18.15 13.2833 17.15 13.85C16.1667 14.4 15.3917 15.175 14.825 16.175C14.275 17.1583 14 18.2667 14 19.5C14 20.7333 14.275 21.85 14.825 22.85C15.3917 23.8333 16.1667 24.6083 17.15 25.175C18.15 25.725 19.2667 26 20.5 26ZM24.575 25L26 23.575L30.2 27.8C30.4833 28.0833 30.5667 28.4 30.45 28.75C30.3333 29.1 30.1 29.3417 29.75 29.475C29.4167 29.5917 29.1 29.5 28.8 29.2L24.575 25Z"
fill="white"></path>
</svg>
<div>SEARCH</div>
</button>
</form>GET https://www.accuknox.com/
<form role="search" method="get" id="search-form" action="https://www.accuknox.com/">
<input type="search" value="" name="s" id="s" placeholder="Enter Search Keywords" required="">
<input type="hidden" id="searchsubmit" value="SEARCH">
<button type="submit"><svg width="43" height="42" viewBox="0 0 43 42" fill="none" xmlns="http://www.w3.org/2000/svg">
<rect width="43" height="42" rx="21" fill="#0044FE"></rect>
<path
d="M20.5 28C18.9667 28 17.5417 27.625 16.225 26.875C14.925 26.1083 13.8917 25.075 13.125 23.775C12.375 22.4583 12 21.0333 12 19.5C12 17.9667 12.375 16.55 13.125 15.25C13.8917 13.9333 14.925 12.9 16.225 12.15C17.5417 11.3833 18.9667 11 20.5 11C22.0333 11 23.45 11.3833 24.75 12.15C26.0667 12.9 27.1 13.9333 27.85 15.25C28.6167 16.55 29 17.9667 29 19.5C29 21.0333 28.6167 22.4583 27.85 23.775C27.1 25.075 26.0667 26.1083 24.75 26.875C23.45 27.625 22.0333 28 20.5 28ZM20.5 26C21.7333 26 22.8417 25.725 23.825 25.175C24.825 24.6083 25.6 23.8333 26.15 22.85C26.7167 21.85 27 20.7333 27 19.5C27 18.2667 26.7167 17.1583 26.15 16.175C25.6 15.175 24.825 14.4 23.825 13.85C22.8417 13.2833 21.7333 13 20.5 13C19.2667 13 18.15 13.2833 17.15 13.85C16.1667 14.4 15.3917 15.175 14.825 16.175C14.275 17.1583 14 18.2667 14 19.5C14 20.7333 14.275 21.85 14.825 22.85C15.3917 23.8333 16.1667 24.6083 17.15 25.175C18.15 25.725 19.2667 26 20.5 26ZM24.575 25L26 23.575L30.2 27.8C30.4833 28.0833 30.5667 28.4 30.45 28.75C30.3333 29.1 30.1 29.3417 29.75 29.475C29.4167 29.5917 29.1 29.5 28.8 29.2L24.575 25Z"
fill="white"></path>
</svg>
<div>SEARCH</div>
</button>
</form>Text Content
SEARCH
* PRODUCTS
DEFEND ZERO DAY ATTACKS
Garner holistic visibility across development and deployment life cycle.
Mitigate risks proactively to foil attacks with our most advanced and
sophisticated CNAPP product.
Platform Overview Platform Integrations Platform Pricing
OPEN SOURCE
ZERO TRUST CLOUD SECURITY
CNAPP
Robust security for multi cloud & On prem deployments
CSPM
Tailor made to secure SaaS and private cloud environments
CWPP
Observability & Enforcement for K8s, VMs, Container workloads
KIEM
Visualize and Secure Kubernetes Access
Kubernetes (K8s) Security
Secure Kubernetes with Inline Prevention
Container Security
Protect containerized applications from potential attacks
Runtime Security
Inline prevention instead of post-attack mitigation
FUTURE PROOF SECURITY SOLUTIONS
5G Security
Securing 5G-ORAN and Control plane with Zero Trust Model
IoT / Edge Security
Safeguard connected devices and IoT workloads globally
AI/LLM POWERED CLOUDSECOPS
AskAda
ZERO TRUST SECURITY FOR LLM'S
LLMKnox [Q3 2024 Release]
SECTORS
Federal
ACCUKNOX IS THE FIRST 5G SECURITY-ORAN TO BE PUBLISHED ON NEPHIO
From fortifying the control plane to addressing vulnerabilities in the data
plane, read the white paper and discover the crucial steps we need to take in
order to enhance the security of 5G networks.
DOWNLOAD NOW
* SOLUTIONS
NEVER TRUST, ALWAYS VERIFY.
Protect Applications, Networks, and Data with our advanced cloud-native
security offerings for all your cloud-native needs. From Infrastructure to
Applications, we have you covered!
Platform Overview Platform Integrations Platform Pricing
OPEN SOURCE
ASPM
Vulnerability Management
CI/CD Pipeline Security
Software Composition Analysis (SCA)
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Supply Chain Security
CSPM
Asset Inventory
Misconfiguration and Drift Detection
Continuous Diagnostics and Mitigation (CDM)
Cloud Detection and Response (CDR)
CWPP
Kubernetes Workload Hardening
Zero Trust Security
Container and VM Forensics
Automated ZT Policy Enforcement
Application Behavior Modeling
PUBLIC CLOUDS
Azure Cloud Security
Google Cloud Security
AWS Cloud Security
Oracle Cloud Security
PRIVATE CLOUDS
OpenShift Security
VMWare Tanzu Security
Bare Metal Security
ACCUKNOX IS NOW ON VMWARE MARKETPLACE
AccuKnox is a high-performance solution that leverages existing linux kernel
primitives at the host level to monitor app behavior and enforce security
policies. And by automating policy discovery and deployment, LSMs like
AppArmor and SELinux can be extremely powerful.
START NOW
* OPEN SOURCE
* RESOURCES
KNOWLEDGE HUB
Stay informed about the latest developments in CNAPP and cloud security
through our curated assortment of enlightening blog posts, instructive
tutorials, illuminating case studies, and noteworthy press releases
Platform Overview Platform Integrations Platform Pricing
OPEN SOURCE
Analyst Reports
Reports from cybersecurity industry gurus
Blogs
Latest Zero day attacks, malware resolution techniques
Data Sheets
Understand AccuKnox Offerings via Datasheets
eBooks
Harness the potentials of CNAPP in Zero Trust Security
Press Releases
Joining Forces with Esteemed Partners to Drive Innovation
Technical Papers
Contain in-depth test results and comparative studies
White Papers
Cutting-edge White Papers: Revolutionizing CNAPP Strategies
Videos
Cloud native security webinars and videos
HELP DOCUMENTATION
Cloud Onboarding
Simplified Steps to onboard Cloud Account with AccuKnox
Cluster Onboarding
Onboarding Steps for AKS, EKS, GKE & More
User Manual
Guides & Tutorials to use AccuKnox CNAPP
Support Matrix
All the platforms and providers that we support
INDUSTRY PAPERS
Kubernetes
Embracing the Agility of Kubernetes
ACCUKNOX OPENSOURCE SECURITY FOR OPEN HORIZON WORKLOADS
We provide Observability & Enforcement to IBM Open Horizon! Deploying the
edge workloads in either containerized mode or k8s orchestrated mode. The
Open Horizon Edge Agent operates directly on the host as a systemd process.
EXPLORE NOW
* COMPANY
CLOUD NATIVE SECURITY REDEFINED
Accelerate your cloud journey with our battle-tested expertise, delivering a
comprehensive zero trust framework that safeguards cloud infrastructure and
applications from targeted attacks.
Platform Overview Platform Integrations Platform Pricing
OPEN SOURCE
Mission & Vision
Fueling Innovation & Advancing Our Purpose
Leadership
Uniting Brilliance in our product’s collective expertise
Careers
Join talented teams for exciting opportunities
Core Values
Cultivating a Culture anchored & rooted in our core values
Investors
Harnessing the Expertise of Visionary Investors for Success
AccuKnox Federal
Leverage Air Gapped and On-Premise fortification
Partnership with SRI International
Built in partnership with SRI and anchored on seminal patents
Patents
Testament to Our Commitment to Technological Excellence
Awards & Recognitions
Honors & Accolades for Our Outstanding Achievements
AccuKnox Team
Meet the team that drives our success
Contact Us
Discover how we can collaborate for Zero Trust Cloud Security
Brand Guidelines
Brand style instruction manual
COMPARISONS
Wiz
AquaSec
Calico Cloud
Prisma Cloud
Orca Security
Checkpoint
PingSafe
Crowdstrike
KUBEARMOR IS NOW CERTIFIED REDHAT OPENSHIFT OPERATOR
Embracing the Power of Open Source: We are proud to contribute to the
open-source community, allowing businesses to leverage the strength of
KubeArmor to safeguard their containerized environments.
TRY NOW
* PARTNERS
BENEFITS OF ACCUKNOX PARTNERSHIP
Being a partners first company, we are strategic and well program to deliver
joint go to market and sales motion. AccuKnox has 7 channel partner types and
win win business plan.
Platform Overview Platform Integrations Platform Pricing
OPEN SOURCE
PARTNER TYPES
Cloud Partners
Hyperscaler Cloud Providers partnered with us
Technology Partners
Innovate together and secure the future of public & private clouds
System Integration & Channel Partners
Partner with us for creating joint reference architecture
CHANNEL PARTNERS
Find a Partner
Explore the list of Global trusted partner list
Become a Partner
Grow with us and become an AccuKnox partner.
PARTNER PROGRAMS
AccuKnox MAX Program
Explore and join the AccuKnox Market Aligned eXcellence
Join Design Partnership Program
We welcome the design partners for win-win advisership
CLINT HEALTH PARTNERS WITH ACCUKNOX FOR ZERO TRUST CNAPP SOLUTION
AccuKnox leading product combined with their successful track record of
partnering with their customers forms the foundation for this objective.
-
Said by Glenn Kimball, Chief Information Security Officer, Clint Health.
BECOME A PARTNER
SEARCH
GET A DEMO
Ask Ada
BETA
Gen-AI Based
Cloud Security
PROTECT CVE-2024-3094 XZ/LIBLZMA BACKDOOR ATTACKS WITH ACCUKNOX
by Rudraksh Pareek and Atharva Shah | April 03, 2024
This blog post discusses the xz/liblzma backdoor vulnerability (CVE-2024-3094)
and its unauthorized system access. We’ll go over the importance of runtime
security and introduce AccuKnox’s code to cloud security mechanisms, which
monitor library usage, audit access attempts, and prevent exploitation.
Reading Time: 5 minutes
TABLE OF CONTENTS
* Compromised Versions
* CVE-2024-3094 with CVE Score 10!
* Why is Runtime Security Critical?
* AccuKnox Solution
* Securing SSH Access with AccuKnox
* Monitoring Capabilities
* Auditing Capabilities
* Prevention Capabilities
* Further Protection
* Takeaways
Share This
*
A backdoor vulnerability (CVE-2024-3094) was recently discovered in the popular
Linux compression utility xz and its complementary library liblzma. This
backdoor was maliciously introduced by a trusted maintainer of the xz project
over nearly two years, making it a concerning software supply chain attack.
According to a report from Cybersecurity Ventures, the global annual cost of
cybercrime is expected to reach $10.5 trillion by 2025, highlighting the urgency
of addressing vulnerabilities like CVE-2024-3094.
COMPROMISED VERSIONS
The compromised versions of liblzma are v5.6.0 and v5.6.1. While these
compromised versions have not yet made their way into stable releases of major
Linux distributions, they were present in some testing and rolling-release
variants, putting those systems at risk.
Source: JFrog
CVE-2024-3094 WITH CVE SCORE 10!
Very few vulnerabilities have a perfect 10 score…this is one of those.One
notable exploit of this backdoor allows an attacker to gain unauthorized access
to a system by bypassing SSH (OpenSSH) authentication, a critical security
vulnerability.
WHY IS RUNTIME SECURITY CRITICAL?
To understand the importance of runtime security in this context, Let’s first
understand how an executable might use liblzma as a dependency:
1. Static linking – liblzma is imported and included at build time.
2. Dynamic linking – The executable accesses the liblzma shared object (.so)
file present on the system at runtime.
While static analysis tools can help detect issues with statically linked
dependencies, they struggle to identify risks associated with dynamically linked
libraries, as the specific version used can vary across systems and
environments. This is where runtime security becomes crucial, as it allows for
the detection and prevention of compromised library versions during execution.
ACCUKNOX SOLUTION
AccuKnox is purpose-built to battle against such invasive threats. We secure
across environments, from cloud to bare metal, at multiple stages, including:
1. Detecting the presence of compromised liblzma versions through vulnerability
scanning.
2. Auditing and preventing access to compromised liblzma versions at runtime.
3. Monitoring and analyzing systems for any suspicious activity, even if they
have already been compromised.
SECURING SSH ACCESS WITH ACCUKNOX
Consider the example of securing SSH access to compromised virtual machines
(VMs). The OpenSSH server (sshd) is a prime example of an executable that
dynamically links to liblzma at runtime. Powered by the open-source KubeArmor
project, AccuKnox can monitor and report the behavior of applications and system
processes running on Linux VMs or as containers in Kubernetes. This capability
is invaluable for detecting if a running SSH process is accessing any infected
versions of liblzma.
With KubeArmor’s inline mitigation approach, AccuKnox enforces user-defined
rules to restrict these activities, effectively blocking access to the
compromised liblzma shared object’s path.
Here’s a screengrab of a virtual machine with the compromised liblzma shared
object.
MONITORING CAPABILITIES
Once the VM is on boarded onto the AccuKnox SaaS platform and agents are
running, they start monitoring file access, process execution, network access,
and more. This monitoring is crucial for:
1. Detecting if a system is using compromised versions of libraries.
2. Identifying if a system has already been compromised and exhibiting
unexpected activity.
If an attempt is made to access this VM over SSH, the liblzma version used by
the sshd process would be detected and reported. The screenshot below shows the
SSH process trying to access liblzma.so.5.6.0, the compromised version:
AUDITING CAPABILITIES
To further enhance security, AccuKnox allows the creation of policies to audit
when any process tries to access the malicious liblzma.so, enabling
administrators to take appropriate action and upgrade to a patched version of
xz.
This is the sample policy used to enforce security
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-cve-2024-3094-xz-utils-v5-6-backdoor
spec:
tags: ["CVE", "CVE-2024-3094", "remote-code-execution", "backdoor"]
message: "Alert! A process accessed compromised versions of xz-utils and liblzma (v5.6.0, v5.6.1)."
nodeSelector:
matchLabels:
# regex matching name of the VM that you want to secure
kubearmor.io/hostname: xz-exploit-demo-vm
file:
# this will match any file containing liblzma.so.5.6.0 and audit
# whenever a process tries to access it
severity: 5
matchPatterns:
- path: "/**/liblzma.so.5.6.0.*"
- path: "/**/liblzma.so.5.6.1.*"
matchPaths:
- path: /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.0
- path: /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
- path: /usr/lib/liblzma.so.5.6.0
- path: /usr/lib/liblzma.so.5.6.1
action: Audit
With this policy in place, users would still be able to access the VM, but an
audit alert would be generated whenever a process attempts to access the
compromised liblzma version.
PREVENTION CAPABILITIES
AccuKnox can take a more proactive approach by preventing processes from
accessing the compromised liblzma version altogether. To achieve this, the
action in the policy can be changed from Audit to Block. However, it’s important
to note that with this policy in effect, no one would be able to access the
server over SSH until the server is updated to use a patched version of
xz/liblzma. When attempting to access the server remotely with the “Block”
policy in place, SSH fails. This is highlighted below.
This is how the alert looks on the AccuKnox Enterprise CNAAP dashboard:
FURTHER PROTECTION
The policy shown above is just an example from AccuKnox’s curated set of policy
templates, which also includes hardening policies based on CVE databases, MITRE
ATT&CK techniques, NIST controls, and more. Along with hardening policies,
AccuKnox recommends implementing zero-trust policies based on your applications’
behavior, ensuring that processes in the system are granted the least privileged
access necessary.
TAKEAWAYS
* CVE-2024-3094 is a critical vulnerability affecting v5.6.0 and v5.6.1 of
xz/liblzma, as recognized by major advisory bodies.
* Currently, only rolling-release Linux distributions are affected by this
vulnerability.
* Vulnerability scanning can be used to detect the presence of compromised
versions within code and images.
* Most executables dynamically link to liblzma, making runtime security
essential for detecting, auditing, and preventing the execution of dependents
using compromised versions.
* Continuous runtime monitoring of systems can help detect any suspicious
activity, whether compromised or not.
AccuKnox’s runtime security solution secures from code to cloud with a full
security tooling suite with Enterprise protection standards. We defend against
crypto-jacking, data science workload threats, escalated privilege access, and
other cloud-native application threats for you to proactively identify and
mitigate risks before they can be exploited.
MUST READ ARTICLES
* Zero Trust (ZT) – The Future of Cloud Security
* Zero Trust (ZT) Architecture, Framework and Model
* Cloud Security Governance, Risk and Compliance (GRC)
* How to Pick the Right CNAPP (Cloud Native Application Protection Platform)
Vendor
* What is Driving the Need for CSPM (Cloud Security Posture Management)
* Agent vs Agentless Multi Cloud Security
YOU CANNOT SECURE WHAT YOU CANNOT SEE.
Your most sensitive information is stored on cloud and on premise
infrastructure. Protect what is most important from cyber attacks. Real-time
autonomous protection for your network's edges.
READY TO GET STARTED?
EXPLORE SYNERGIES
AccuKnox Zero Trust CNAPP Cloud Security protects Public clouds, Private clouds,
Kubernetes, VMs, Bare metals, IoT Edge, and 5G security.
AVAILABLE ON
PRODUCT
* CNAPP
* CSPM
* CWPP
* KIEM
* 5G Security
* IoT / Edge Security
RESOURCES
* Videos
* Presentations
* Data Sheets
* Blogs
* White Papers
* eBooks
* Technical Papers
* Product Collaterals
* Help Documents
COMPANY
* Mission & Vision
* Leadership
* Careers
* Investors
* Patents
* Comparisons
* Analyst Reports
* Contact Us
Suite AG 138, SRI, 333 Ravenswood Ave, Menlo Park, CA 94025, USA
© Copyright 2020 – 2024 AccuKnox all rights reserved
| Terms of Use| Privacy Policy| Evaluation Agreement| SLA|