Solved: Re: How to detect xz-lib CVE-2024-3094 with Splunk...

jkat54 · ‎03-30-2024

How to detect CVE-2024-3094 with Splunk?

jkat54 · ‎03-30-2024

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)

If anyone else has anything to add, please reply or add your answer.

View solution in original post

jkat54 · ‎03-30-2024

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)

If anyone else has anything to add, please reply or add your answer.

falco · ‎03-31-2024

Shouldn't we be looking for xz-utils rather than xz-libs?

like this
source=package sourcetype=package NAME=xz-utils

jkat54 · ‎04-01-2024

It may depend on the OS version. In mine when I did dpkg -l | grep xz, that's the only one I see. I thought about xz*. That might be a better play here.

is lib different from util or just different names per OS?

thanks for the feedback!

How to detect xz-lib CVE-2024-3094 with Splunk® Enterprise

other

Step 1: Prerequisites:

Step 2: Deploy the updated inputs / app

Step 3. Detect the CVE

Step 1: Prerequisites:

Step 2: Deploy the updated inputs / app

Step 3. Detect the CVE

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases