Edge SWG (formerly ProxySG), Content Analysis, Reporter, Management Center and Web Isolation vulnerability status in respect to CVE-2024-3094 (xz backdoor vulnerability)
search cancel

Edge SWG (formerly ProxySG), Content Analysis, Reporter, Management Center and Web Isolation vulnerability status in respect to CVE-2024-3094 (xz backdoor vulnerability)

book

Article ID: 282074

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS Content Analysis Software ISG Content Analysis Management Center Management Center - VA Reporter Reporter-S500 Reporter-VA Web Isolation Cloud

Issue/Introduction

Proxy administrators would like to determine if Edge SWG (formerly ProxySG), Content Analysis, Reporter, Management Center and Web Isolation devices are vulnerable to CVE-2024-3094 (xz backdoor vulnerability).

Cause

Vulnerability Details

CVE ID Number: CVE-2024-3094
Component: RedHat
Date Published: March 29th, 2024
Description: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Vector Assessment: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score: 10.0 (Critical)


Advisory Link(s)

Resolution

Edge SWG (formerly ProxySG), Content Analysis, Reporter, Management Center and Web Isolation devices are not vulnerable to CVE-2024-3094.

Additional Information

Per RedHat feedback:

"The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is only included in the tarball download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous. In the finder’s demonstration, it was found that it interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma."

In respect to Proxy Family Network protection appliances:

SGOS 

      • ISG/Edge SWG (formerly ProxySG) do not use the "xz tarball" nor the "liblzma" libraries.

CAS (Content Analysis)

      • CAS/MAA utilize a version "xz" previous to 5.6.0.

Management Center / Reporter 

      • MC/Reporter does not utilize the compromised library.

Web Isolation

      • Web Isolation does not utilize the compromised library.

 

Note(s): For product specific vulnerability/CVE status checks, please visit the Security Advisories - Cyber Security Software Portal.

 

Powered by Wolken Software