Skip to content

How to find systems impacted by CVE-2024-3094 (XZ Utils backdoor) with runZero

Latest CVE-2024-3094 (XZ Utils backdoor) coverage 

Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.

CVE-2024-3094 is rated critical with CVSS score of 10.0.

An overview of this issue can be found at ArsTechnica.

Russ Cox published a detailed timeline.

What is the impact?

Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.

Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.

Are updates or workarounds available?

This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian “DEB” or Red Hat “RPM” package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.

The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:

Additional information about this issue can be found across the web and in various distribution-specific trackers:

How to find potentially affected systems with runZero

The runZero team is investigating whether a direct check against SSH is possible.

In the meantime, we suggest using this runZero Service Inventory query:

_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")

This query is based on the following logic:

1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.

2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find Fortra FileCatalyst installations with runZero

Fortra has disclosed a vulnerability in their FileCatalyst Workflow product. This vulnerability allows for attackers to write files to arbitrary locations in the filesystem and can lead to arbitrary remote code execution with the privileges of the vulnerable service.

This vulnerability has been assigned CVE-2024-25153 and is considered to be highly critical, with a CVSS score of 9.8.

Note that this vulnerability was reported and fixed in August of 2023, but has only recently been assigned a CVE.

What is the impact?

Successful exploitation of this vulnerability would allow attackers to execute arbitrary code with the privileges of the vulnerable service, potentially leading to complete system compromise.

Are updates or workarounds available?

Fortra has released a fix for this vulnerability and advises all users to upgrade if they have not already done so.

How do I find potentially vulnerable systems with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

html.title:”FileCatalyst”

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find Siemens Devices with runZero

Latest Siemens vulnerabilities 

Siemens has released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities have CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For a full list of vulnerabilities, please consult Siemens ProductCERT.

What is the impact?

Several of these vulnerabilities allow for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities may lead to privilege escalation, information disclosure, or denial of service. Users are urged to upgrade as quickly as possible.

Are updates or workarounds available?

Siemens has released updates via a variety of channels. See Siemens ProductCERT for details.

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate Siemens assets that may be vulnerable:

hardware:Siemens OR hardware:RuggedCom

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Celebrating Women’s History Month with Trailblazers & Innovators

It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers. We hope you’ll share their incredible achievements and fascinating life stories with your kiddos and colleagues! 

With that in mind, each of the women has a dedicated coloring sheet with a summary of their amazing achievements. We’d love to see the artistic creations that emerge from this experiment, and encourage you to share them on the socials for everyone to admire.

As each of the coloring sheets is revealed over the next few weeks, we’ll be adding them to this very page so that you can easily get the entire collection. We hope you enjoy them and learn something new!

Hedy Lamarr, Iconic Actress & Ingenious Inventor #

We are kicking things off with Hedy Lamarr, an iconic Hollywood actress who also was an ingenious inventor. Hedy’s work helped revolutionize modern communications. Thanks to her contributions, along with many others, we now have WiFi, GPS, and Bluetooth technologies. Learn more about Hedy’s incredible life here

Hedy never publicized her inventions during her lifetime, and we are excited to shine a light on her brilliance, as well as her renowned beauty.

Get the PDF coloring sheet ➔

Bookmark this page and come back soon to see who we celebrate next!

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding Progress OpenEdge Authentication Gateway and AdminServer installations with runZero

Progress Software disclosed an authentication bypass vulnerability in its OpenEdge Authentication Gateway and AdminServer applications. 

This vulnerability, identified as CVE-2024-1403, allows attackers to bypass checks and access the system without authentication. Successful exploitation of this vulnerability would allow attackers to access systems with arbitrary privileges, potentially including administrative privileges.

The vendor indicates that the OpenEdge Authentication Gateway is potentially vulnerable based on configuration, but that the AdminServer product is vulnerable regardless of configuration.

What is the impact?

Successful exploitation of these vulnerabilities would allow attackers to execute arbitrary commands with full privileges on the target system, potentially leading to complete system compromise.

Are updates or workarounds available? #

The vendor has released updates that fix these issues. The vendor recommends that all users upgrade to this version immediately.

How do I find Progress OpenEdge Authentication Gateway and AdminServer installations with runZero?

From the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="Progress Application Home"

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×