Article: Discovering xz vulnerability with Fleet [May 30]

[spokanemac]

Article

Proposed article title

Blog Post Summary

Goal

User story
As a Fleet Admin,
I want to automate the remediation of the XZ vulnerability using Fleet
so that I can improve my organization's security posture.

For help creating a user story, see "Writing a good user story" in the website handbook.

Technical Details

- **Blog Post Type** - [ ] How-To Guide - [ ] Case Study - [ ] Interview - [ ] Opinion Piece - [ ] Research/Insight - [ ] Product Update - [ ] Other (please specify) - **Target Audience** - [ ] IT Administrators - [ ] Security Analysts - [ ] Developers - [ ] General Audience - **Targeting Details** - [ ] Target Length: - [ ] Release Date: - [ ] Draft Due Date: - [ ] SEO Keywords: - [ ] SEO Title: - [ ] SEO Description: - **TODO** - [ ] Author: ( ) - [ ] Proofread for readability/tone: ( ) - [ ] Technical Reviewer: ( ) - [ ] Final Art from Design: ( ) - [ ] Final Approver: ( ) - [ ] Merge PR / Publish on website - [ ] Field Marketing (@drewbakerfdm): Post on social media - [ ]

Prerequisites

<-- List any prerequisites that the reader should have before diving into the blog post. -->

Key Points

References/Resources

Additional Notes

Working Document

[Published Link]()

[lukeheath]

@nonpunctual It looks like this article is pretty much ready to publish, but we need the queries you used. Would you please provide those ASAP? I think there's a time window since folks are moving on from this topic, so we'll need to publish soon.

[nonpunctual]

@lukeheath @spokanemac I guess I've been unsure whether or not this workflow is a good demo for the product.

REMEDIATION SCRIPT:

#!/bin/sh

# binary name to check
applstr='brew'

# get current logged in user
crntusr="$(/usr/bin/stat -f %Su /dev/console)"

# Check if brew is installed, exit with instruction if not
if ! /usr/bin/sudo -i -u "$crntusr" /usr/bin/which "$applstr" 2>&1 > /dev/null
then
    printf "Homebrew may not be installed.\nPlease install Homebrew to use this remediation.\nFor instructions, see https://brew.sh/"; exit
fi

# collect xz version
xz_vers="$(/usr/bin/sudo -i -u "$crntusr" xz --version)"

# remediate via Homebrew
if [ -z "$xz_vers" ] 
then
    printf "xz not installed via Homebrew.\nHost may not vulnerable.\nExiting..."; exit
elif echo "$xz_vers" | /usr/bin/grep -E '5\.6\.0|5\.6\.1'
then
    printf "Executing Homebrew upgrade to roll xz back to known good version..."
    /usr/bin/sudo -i -u "$crntusr" brew upgrade xz; /usr/bin/sudo -i -u "$crntusr" brew cleanup xz --prune=0
else
    printf "xz version ok."
fi

QUERY THAT SATISFIES FLEET POLICY:

SCRIPT SCREENSHOT:

Tines Story URL: https://rough-silence-1075.tines.com/stories/55098 Tines screenshot:

[lukeheath]

@nonpunctual Thanks! This is an excellent example for a specific use case: remediating xz installed with homebrew. We should call out that the xz vuln can hide in many different places, and maybe provide queries for those, but only provide the remediation script for homebrew.

@spokanemac Up to you if you want to include additional queries to hunt for xz. I generated some examples but haven't tried any of these:

To search for the presence and usage of the xz utility on your fleet of computers and servers using osquery, you can run several queries to get a comprehensive view. Here are some useful queries:

Check Installed Packages

This query checks if xz is installed on the system.

SELECT name, version, source FROM rpm_packages WHERE name = 'xz'
UNION ALL
SELECT name, version, source FROM deb_packages WHERE name = 'xz'
UNION ALL
SELECT name, version FROM programs WHERE name = 'xz';

Locate Binary Files

This query finds the location of the xz binary.

SELECT path FROM file WHERE path LIKE '%/xz';

Check for Running Processes

This query checks if the xz process is currently running.

SELECT pid, name, path, cmdline FROM processes WHERE name = 'xz';

Check for Usage in Logs

This query searches for references to xz in system logs.

SELECT * FROM syslog WHERE message LIKE '%xz%';

Check for Binary Presence in Common Paths

This query checks common system paths for the presence of the xz binary.

SELECT path FROM file WHERE path IN ('/bin/xz', '/usr/bin/xz', '/usr/local/bin/xz', '/sbin/xz', '/usr/sbin/xz', '/usr/local/sbin/xz');

File Integrity Monitoring (FIM)

This query monitors changes to the xz binary.

SELECT * FROM file_events WHERE target_path LIKE '%/xz';

Check for Installed Libraries

This query checks for libraries related to xz.

SELECT * FROM rpm_packages WHERE name LIKE '%xz%'
UNION ALL
SELECT * FROM deb_packages WHERE name LIKE '%xz%'
UNION ALL
SELECT * FROM programs WHERE name LIKE '%xz%';

[nonpunctual]

@spokanemac @lukeheath I took a giant whack at revising this article from top to bottom:

https://docs.google.com/document/d/1CDMxLqTiTwmqDEUsRqEbR5iQ48-_PLksUmCCN4ZwA9s/edit

[lukeheath]

@nonpunctual Just make sure those queries are correct, I generated them and didn't run them.

[nonpunctual]

@lukeheath @spokanemac I checked them. I removed the one that searches the entire fs. I don't think that's safe. All the others are limited in scope & I added notes to say that wildcards may impact Host performance.

[nonpunctual]

@ksatter please read the article at the goog docs link above & approve. Thank you!!!

[spokanemac]

@nonpunctual @ksatter Checking in on this. I have it slated to publish on Thursday.

[nonpunctual]

@spokanemac I think it's ready to go. Also went through it w @zayhanlon & she approved the content & the idea. @ksatter would appreciate 1 more look from you after our knock-down, drag out session from earlier. :) Thanks.

[spokanemac]

Published: https://fleetdm.com/guides/discovering-xz-vulnerability-with-fleet
 

@Drew-P-drawers FYI

[fleet-release]

Admins with Fleet's aid, Quell XZ's threat, security made, A fortress upgraded.