Discover your exposure to the XZ Utilities backdoor in 10 seconds or less

Tim Miller
Monday, May 6th, 2024
An example query for specific versions of the XZ software package.

When high profile security events happen, it is essential for you and your team to have the information you require right at your fingertips. Using Panoptica’s powerful graph database and easy to use query engine, you are easily able to discover all the assets in all your cloud environments that could have compromised software installed.

Let’s dig into the latest security incident that was reported, detail how it all unfolded, and dive into how specifically Panoptica can help you better secure your environment from this discovered vulnerability.

What happened?

On 28 March 2024, a Microsoft researcher discovered a sophisticated back door inserted into the xz compression utilities that enabled remote code execution (RCE) that initially targeted the SSH service. Fortunately, the back door was discovered before widespread adoption of the vulnerable versions occurred. Panoptica’s research team wrote about the technical details of the exploit where you can learn more about the specifics.

We aren’t going to focus on the many interesting aspects of the circumstances leading up to the discovery - from the technical sophistication, to the potential social engineering that took place that exploited the struggles of the open source community, to the long-term planning of the attack (several years) - as those can be found elsewhere (see links below). Instead, we will focus on what happened in practical terms and how you can better secure your environment moving forward.

What does it all mean?

This incident is a powerful reminder of the dependence of all we do with cloud and cloud native applications on open source software. Open source software is absolutely NOT a bad thing as a great many innovations and advances have come out of that community. However, this security incident reminds us that the security of our cloud environments and applications doesn't stop at the code that we write.

We must have complete visibility into all the third-party libraries and utilities that we consume, understand what vulnerabilities exist in that software, and be ready at any moment to assess the risk to our environment from our use of them.

Second, this incident highlights three impactful qualities of these software projects - how important they can be, how fragile they can be, and how fast they can respond. Two of those three qualities are famously (and humorously) represented by the XKCD comic entitled Dependency. The 3rd quality - speed - shows just how responsive the community can be to serious threats. And it’s a quality you must have as well to ensure your applications and cloud environments do not suffer a breach.

How can Panoptica help you?

Visibility, visibility, visibility. One of the three important aspects of cloud application security - priority and remediation being the other two. When a zero-day or other high-profile security event arises in the industry, your first task after learning about it is to understand the impact on your environment and that requires visibility. For this issue, you must understand all the workloads (containers, virtual machines, and serverless functions) which may be affected.

In a proper DevSecOps environment, your workload visibility begins by shifting security to the left with artifact scanning in the CI/CD pipeline where we leverage software composition analysis (SCA) to generate a software bill of materials (SBOM) that contains a comprehensive inventory of all third-party dependencies that have been discovered. In Panoptica, with Code Security, you can scan your artifacts with our Panoptica CLI for this visibility.


Depending on your environment, some of your workloads may not have originated in your CI/CD pipeline so it is critical to also have a runtime scanning aspect to your security solution. In runtime, Panoptica can scan your containers and serverless functions on-demand when they are deployed and updated. For virtual machines, we regularly perform “side scanning”, a technique that takes a snapshot of the VM and scans it offline. The output of both types of scans is the same as the pipeline - an SBOM stored in the graph database.

In normal security operations, these SBOMs are then analyzed to generate a list of CVEs present in those artifacts for use in risk assessments. However, with zero-day and high-profile events, those upstream CVE databases can have a delay in propagating their signatures and therefore render security solutions temporarily blind for a short period of time to the risk.

Panoptica helps mitigate this delay by providing powerful search capabilities to be able to search the entire graph database quickly and easily. The generally available core search engine is available as part of the inventory menu. Simple, obvious searches like:

will provide a list of all assets containing ‘xz’ package with base version '5.6.0'. Or, to identify an exact match, you could search for version 5.6.1-1 via:

Of course, you can combine these searches to look for multiple versions as well:

An example of a combined search, looking for safe versions of 5.2.2 or 5.2.5

Discover your graph inventory

For a more rich and dynamic search capability, Panoptica now has available a new Security Graph Query query feature (currently only available to our early adopters). Rather than relying on powerful, but proscribed, search attributes and parameters, the Security Graph Query dynamically adapts the query interface to allow searching for all information that is stored in the graph. As new models (inventory assets, security risk findings, etc.) are added to the graph to support Panoptica’s expanding capabilities, they are immediately available for query within the Security Graph Query.

In the context of this high-profile event, namely finding all xz packages of a specific version. For safety reasons, we’ll search for previous versions of xz below, specifically either 5.2.2 or 5.2.5:

Here, we’ve returned 2 Azure VMs and 3 AWS VMs that have the specified package version combinations. We can see the specific SBOM details within one of the example VMs:

Is there anything else?

Absolutely! This post is focused solely on the immediate pain point of this week: CVE-2024-3094. As a cloud native application protection platform (CNAPP), Panoptica has a breadth of capabilities beyond SBOMs and graph searches.

Attack Path Analysis

We’d be happy to have a conversation with you about how Panoptica can meet your cloud native application security needs today and where you’d like to see the solution grow.

Contact us for a deep dive into our comprehensive cloud security solution to see how we can help you better secure your cloud at scale.

Additional references

Popup Image