forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-xz-vulnerability.mql.yaml
82 lines (79 loc) · 3.73 KB
/
mondoo-xz-vulnerability.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-xz-vulnerability-policy
name: xz Vulnerability (CVE-2024–3094)
version: 1.0.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: linux,unix
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
The xz-utils package 5.6.0 and 5.6.1 has a vulnerability in the xz command line tool that allows for arbitrary code execution when processing a specially crafted .xz file. This vulnerability is due to a stack-based buffer overflow in the xz_decomp function in xz-dec.c. An attacker can exploit this vulnerability by sending a specially crafted .xz file to a target system, which could allow the attacker to execute arbitrary code on the target system.
This policy checks for the presence of xz libs on the system and ensures that the version is not vulnerable.
groups:
- filters: asset.family.contains("unix")
checks:
- uid: mondoo-xz-vulnerability-policy
queries:
- uid: mondoo-xz-vulnerability-policy
title: Ensure no backdoored xz libs are installed
docs:
desc: |
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
audit: |
Run the following command and verify that no xz libs are installed:
```
xz --version | grep '5\.6\.[01]'
```
remediation: |
Update to the latest version of xz and xz-utils or xz-libs.
refs:
- url: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
title: CVE-2024-3094 Detail
variants:
- uid: mondoo-xz-vulnerability-policy-libs-alpine
- uid: mondoo-xz-vulnerability-policy-libs-fedora
- uid: mondoo-xz-vulnerability-policy-libs-debian
- uid: mondoo-xz-vulnerability-policy-libs-kali
- uid: mondoo-xz-vulnerability-policy-libs-opensuse
- uid: mondoo-xz-vulnerability-policy-libs-archlinux
- uid: mondoo-xz-vulnerability-policy-libs-alpine
filters: asset.platform == 'alpine'
mql: |
packages.where(name == /xz/).all(version != /5.6.1-r0/)
packages.where(name == /xz/).all(version != /5.6.1-r1/)
- uid: mondoo-xz-vulnerability-policy-libs-fedora
filters: |
asset.platform == 'fedora'
asset.version == '40' || asset.version == '41'
mql: |
packages.where(name == /xz/).all(version != /5.6.0/)
packages.where(name == /xz/).all(version != /5.6.1/)
- uid: mondoo-xz-vulnerability-policy-libs-debian
filters: |
asset.platform == 'debian'
asset.version == 'trixie/sid'
mql: |
packages.where(name == /xz/).all(version < '5.6.1' || version == /really5.4.5/)
- uid: mondoo-xz-vulnerability-policy-libs-kali
filters: |
asset.platform == 'kali'
asset.version == '2024.1'
mql: |
packages.where(name == /xz/).all(version != /5.6.0/)
packages.where(name == /xz/).all(version != /5.6.1/)
- uid: mondoo-xz-vulnerability-policy-libs-opensuse
filters: |
asset.platform == 'opensuse-tumbleweed'
mql: |
packages.where(name == /xz/).all(version < '5.6.1' || version == /revertto5.4-2/)
- uid: mondoo-xz-vulnerability-policy-libs-archlinux
filters: |
asset.platform == 'arch'
mql: |
packages.where(name == /xz/).all(version > '5.6.1-2')