osquery detection for CVE-2024-3094 (#1181)

* osquery detection for CVE-2024-3094 * add to pack * linter fixes * reference default packs instead of custom query
panther-labs · Apr 2, 2024 · 4c69282 · 4c69282
1 parent 12180de
commit 4c69282
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 0 deletions.
diff --git a/packs/osquery.yml b/packs/osquery.yml
@@ -4,6 +4,7 @@ Description: Group of all OSQuery detections
 PackDefinition:
   IDs:
     - Osquery.Linux.AWSCommandExecuted
+    - Osquery.Linux.Mac.VulnerableXZliblzma
     - Osquery.Mac.ApplicationFirewallSettings
     - Osquery.Mac.AutoUpdateEnabled
     - Osquery.Mac.OSXAttacks

diff --git a/rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.py b/rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.py
@@ -0,0 +1,26 @@
+QUERY_NAMES = {
+    "pack_vuln-management_homebrew_packages",
+    "pack_vuln-management_deb_packages",
+    "pack_vuln-management_rpm_packages",
+}
+VULNERABLE_PACKAGES = {"xz", "liblzma", "xz-libs", "xz-utils"}
+VULNERABLE_VERSIONS = {"5.6.0", "5.6.1"}
+
+
+def rule(event):
+    package = event.deep_get("columns", "name", default="")
+    version = event.deep_get("columns", "version", default="")
+    return all(
+        [
+            event.get("name") in QUERY_NAMES,
+            (package in VULNERABLE_PACKAGES or package.startswith("liblzma")),
+            any(version.startswith(v) for v in VULNERABLE_VERSIONS),
+        ]
+    )
+
+
+def title(event):
+    host = event.get("hostIdentifier")
+    name = event.deep_get("columns", "name", default="")
+    version = event.deep_get("columns", "version", default="")
+    return f"[CVE-2024-3094] {name} {version} Potentially vulnerable on {host}"
diff --git a/rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.yml b/rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.yml
@@ -0,0 +1,73 @@
+AnalysisType: rule
+Filename: osquery_linux_mac_vulnerable_xz_liblzma.py
+RuleID: "Osquery.Linux.Mac.VulnerableXZliblzma"
+DisplayName: "A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094"
+Enabled: true
+LogTypes:
+  - Osquery.Differential
+Tags:
+  - Osquery
+  - MacOS
+  - Linux
+  - Emerging Threats
+  - Supply Chain Compromise
+Reports:
+  MITRE ATT&CK:
+    - TA0001:T1195.001
+Severity: High
+Description: >
+  Detects vulnerable versions of XZ and liblzma on Linux and MacOS using Osquery logs.
+  Versions 5.6.0 and 5.6.1 of xz and liblzma are most likely vulnerable to backdoor exploit.
+  Vuln management pack must be enabled: https://github.com/osquery/osquery/blob/master/packs/vuln-management.conf
+Runbook: Upgrade/downgrade xz and liblzma to non-vulnerable versions
+Reference: https://gist.github.com/jamesspi/ee8319f55d49b4f44345c626f80c430f
+SummaryAttributes:
+  - name
+  - hostIdentifier
+  - action
+Tests:
+  -
+    Name: Vulnerable liblzma
+    ExpectedResult: true
+    Log:
+      {
+        "name": "pack_vuln-management_rpm_packages",
+        "action": "added",
+        "hostIdentifier": "test-host",
+        "columns": {
+          "source": "test-host",
+          "name": "liblzma.so",
+          "version": "5.6.1.000",
+          "status": "Potentially vulnerable"
+        }
+      }
+  -
+    Name: Vulnerable xz
+    ExpectedResult: true
+    Log:
+      {
+        "name": "pack_vuln-management_deb_packages",
+        "action": "added",
+        "hostIdentifier": "test-host",
+        "columns": {
+          "source": "test-host",
+          "name": "xz",
+          "version": "5.6.0.000",
+          "status": "Potentially vulnerable"
+        }
+      }
+  -
+    Name: Not vulnerable
+    ExpectedResult: false
+    Log:
+      {
+        "name": "pack_vuln-management_rpm_packages",
+        "action": "added",
+        "hostIdentifier": "test-host",
+        "columns": {
+          "source": "test-host",
+          "name": "liblzma.so",
+          "version": "5.4.6.000",
+          "status": "Most likely not vulnerable"
+        }
+      }