{"id":32762,"date":"2024-04-24T09:21:23","date_gmt":"2024-04-24T07:21:23","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=32762"},"modified":"2024-04-24T09:21:26","modified_gmt":"2024-04-24T07:21:26","slug":"detect-xz-utils-cve-2024-3094-with-tetragon","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/","title":{"rendered":"Detect XZ Utils CVE 2024-3094 with Tetragon"},"content":{"rendered":"\n

The recent discovery of the XZ Utils backdoor, classified as CVE 2024-3094, has been now well documented. Detecting it with Tetragon<\/a> from Isovalent (now part of Cisco) has been explained in this blog post<\/a>. I also did some research and experimented with this vulnerability. I wondered how we could leverage Tetragon capabilities to detect it before it was known. There are other vulnerabilities out there, so we need to be prepared for the unknown. For this we have to apply a security strategy called Zero Trust. I wrote another blog post<\/a> on this topic with another example and another tool if you want to have a look. Let’s build an environment on which we can experiment and learn more about it. Follow along!<\/p>\n\n\n\n

\"How<\/figure>\n\n\n\n

Setup an environment for CVE 2024-3094<\/h2>\n\n\n\n

We have learned that this vulnerability needs an x86 architecture to be exploited and that it targets several Linux distribution (source here<\/a>). I’ve used an Ubuntu 22.04 virtual machine in Azure to setup the environment. To exploit this vulnerability, we’re going to use the GitHub resource here<\/a>.<\/p>\n\n\n\n

This vulnerability is related to the library liblzma.so<\/strong> used by the ssh daemon so let’s switch to the root user and install openssh-server along with other packages we will use later:<\/p>\n\n\n

\nazureuser@Ubuntu22:~$ sudo -i\n\nroot@Ubuntu22:~# apt-get update && apt-get install -y golang-go curl openssh-server net-tools python3-pip wget vim git file bsdmainutils jq\n<\/pre><\/div>\n\n\n
Let’s use ssh key authentication (as this is how the vulnerable library can be exploited), start the ssh daemon and see which version of the library it uses:<\/p>\n\n\n
\nroot@Ubuntu22:~# which sshd\n\/usr\/sbin\/sshd\nroot@Ubuntu22:~# sed -E -i 's\/^#?PasswordAuthentication .*\/PasswordAuthentication no\/' \/etc\/ssh\/sshd_config\n\nroot@Ubuntu22:~# service ssh status\n * sshd is not running\nroot@Ubuntu22:~# service ssh start\n * Starting OpenBSD Secure Shell server sshd\nroot@Ubuntu22:~# service ssh status\n * sshd is running\n\nroot@Ubuntu22:~# ldd \/usr\/sbin\/sshd|grep liblzma\n\tliblzma.so.5 => \/lib\/x86_64-linux-gnu\/liblzma.so.5 (0x00007ae3aac37000)\n\nroot@Ubuntu22:~# file \/lib\/x86_64-linux-gnu\/liblzma.so.5\n\/lib\/x86_64-linux-gnu\/liblzma.so.5: symbolic link to liblzma.so.5.2.5\n<\/pre><\/div>\n\n\n
Here it uses version 5.2.5, sometimes it uses version 5.4.5 from the tests I did on other distributions. The vulnerable versions are 5.6.0 and 5.6.1. So by default our machine is not vulnerable. To make it so, we need to upgrade this library to one of these vulnerable versions as shown below:<\/p>\n\n\n
\nroot@Ubuntu22:~# wget https:\/\/snapshot.debian.org\/archive\/debian\/20240328T025657Z\/pool\/main\/x\/xz-utils\/liblzma5_5.6.1-1_amd64.deb\n\nroot@Ubuntu22:~# apt-get install --allow-downgrades --yes .\/liblzma5_5.6.1-1_amd64.deb\n\nroot@Ubuntu22:~# file \/lib\/x86_64-linux-gnu\/liblzma.so.5\n\/lib\/x86_64-linux-gnu\/liblzma.so.5: symbolic link to liblzma.so.5.6.1\n<\/pre><\/div>\n\n\n
We are now using the vulnerable library in version 5.6.1. Next we can use the files and xzbot tool from the GitHub project as shown below:<\/p>\n\n\n
\nroot@Ubuntu22:~# git clone https:\/\/github.com\/amlweems\/xzbot.git\nroot@Ubuntu22:~# cd xzbot\/\n<\/pre><\/div>\n\n\n
To be able to exploit this vulnerability we can’t just use the vulnerable library. In fact the backdoor uses a hardcoded ED448 public key for signature and we don’t have the associated private key. To be able to trigger that backdoor, the author of the tool xzbot replaced them with their own key pair they’ve generated. We then need to replace the vulnerable library with the patched one using these keys as follows:<\/p>\n\n\n
\nroot@Ubuntu22:~# cp .\/assets\/liblzma.so.5.6.1.patch \/lib\/x86_64-linux-gnu\/liblzma.so.5.6.1\n<\/pre><\/div>\n\n\n
Now everything is ready to exploit this vulnerability with the xzbot tool. We just need to compile it with the go package we installed at the beginning:<\/p>\n\n\n
\nroot@Ubuntu22:~# go build\n\nroot@Ubuntu22:~# .\/xzbot -h\nUsage of .\/xzbot:\n  -addr string\n    \tssh server address (default "127.0.0.1:2222")\n  -cmd string\n    \tcommand to run via system() (default "id > \/tmp\/.xz")\n  -seed string\n    \ted448 seed, must match xz backdoor key (default "0")\n<\/pre><\/div>\n\n\n
Detecting the backdoor with Tetragon<\/h2>\n\n\n\n
Let’s see now how we could use Tetragon to detect something by applying a Zero Trust strategy. At this stage we consider we don’t know anything about this vulnerability and we are using Tetragon as a security tool for our environment. Here we don’t use Kubernetes, we just have a Ubuntu 22.04 host but we can still use Tetragon by running it into a docker container.<\/p>\n\n\n\n
We install docker in our machine by following the instructions described here<\/a>:<\/p>\n\n\n
\nroot@Ubuntu22:~# sudo apt-get install ca-certificates curl\nroot@Ubuntu22:~# sudo install -m 0755 -d \/etc\/apt\/keyrings\nroot@Ubuntu22:~# sudo curl -fsSL https:\/\/download.docker.com\/linux\/ubuntu\/gpg -o \/etc\/apt\/keyrings\/docker.asc\nroot@Ubuntu22:~# sudo chmod a+r \/etc\/apt\/keyrings\/docker.asc\n\nroot@Ubuntu22:~# echo \\\n  "deb [arch=$(dpkg --print-architecture) signed-by=\/etc\/apt\/keyrings\/docker.asc] https:\/\/download.docker.com\/linux\/ubuntu \\\n  $(. \/etc\/os-release && echo "$VERSION_CODENAME") stable" | \\\n  sudo tee \/etc\/apt\/sources.list.d\/docker.list > \/dev\/null\nroot@Ubuntu22:~# sudo apt-get update\n\nroot@Ubuntu22:~# sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin\n<\/pre><\/div>\n\n\n
Then we install Tetragon in a docker container by following the instructions here<\/a>:<\/p>\n\n\n
\nroot@Ubuntu22:~# docker run --name tetragon --rm -d \\\n    --pid=host --cgroupns=host --privileged \\\n    -v \/sys\/kernel:\/sys\/kernel \\\n    quay.io\/cilium\/tetragon:v1.0.3 \\\n    \/usr\/bin\/tetragon --export-filename \/var\/log\/tetragon\/tetragon.log\n<\/pre><\/div>\n\n\n
Tetragon – Backdoor detection<\/h3>\n\n\n\n
Now everything is ready and we can trigger the backdoor and see what Tetragon can observe. We open a new shell by using the azureuser. We jump into the Tetragon container and monitor the log file for anything related to ssh as shown below:<\/p>\n\n\n
\nazureuser@Ubuntu22:~$ sudo docker exec -it 76dc8c268caa bash\n76dc8c268caa:\/# tail -f \/var\/log\/tetragon\/tetragon.log | grep ssh\n<\/pre><\/div>\n\n\n
In another shell (the one with the root user), we can start the exploit by using the xzbot tool. We execute the command sleep 60<\/strong> so we can observe in real time what is happening:<\/p>\n\n\n
\nroot@Ubuntu22:~\/xzbot# .\/xzbot -addr 127.0.0.1:22 -cmd "sleep 60"\n<\/pre><\/div>\n\n\n
This is an example of a malicious actor connecting through the backdoor to get a shell on our compromised Ubuntu machine. Below is what we can see in our Tetragon shell (the output has been copied and pasted for being parsed with jq to provide a better reading and we’ve kept only the process execution event):<\/p>\n\n\n
\n{\n  "process_exec": {\n    "process": {\n      "exec_id": "OjIwNjAyNjc1NDE0MTU2OjE1NDY0MA==",\n      "pid": 154640,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "arguments": "-D -R",\n      "flags": "execve rootcwd clone",\n      "start_time": "2024-04-23T12:03:08.447280556Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "tid": 154640\n    },\n    "parent": {\n      "exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "pid": 742,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "flags": "procFS auid rootcwd",\n      "start_time": "2024-04-23T06:19:59.931865800Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjM4MDAwMDAwMDox",\n      "tid": 742\n    }\n  },\n  "time": "2024-04-23T12:03:08.447279856Z"\n}\n...\n{\n  "process_exec": {\n    "process": {\n      "exec_id": "OjIwNjAyOTk4NzY3ODU0OjE1NDY0Mg==",\n      "pid": 154642,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/bin\/sh",\n      "arguments": "-c \\"sleep 60\\"",\n      "flags": "execve rootcwd clone",\n      "start_time": "2024-04-23T12:03:08.770634054Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjIwNjAyNjc1NDE0MTU2OjE1NDY0MA==",\n      "tid": 154642\n    },\n    "parent": {\n      "exec_id": "OjIwNjAyNjc1NDE0MTU2OjE1NDY0MA==",\n      "pid": 154640,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "arguments": "-D -R",\n      "flags": "execve rootcwd clone",\n      "start_time": "2024-04-23T12:03:08.447280556Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "tid": 154640\n    }\n  },\n  "time": "2024-04-23T12:03:08.770633854Z"\n}\n<\/pre><\/div>\n\n\n
Here we have all the interesting information about the process as well as the link to its parent process. With Tetragon Entreprise we could have a graphical view of these linked processes. As we are using the Community Edition, we can use the ps<\/strong> command instead here to get a more graphical view as shown below:<\/p>\n\n\n
\nazureuser@Ubuntu22:~$ ps -ef --forest\nroot         742       1  0 06:19 ?        00:00:00 sshd: \/usr\/sbin\/sshd -D [listener] 1 of 10-100 startups\nroot      154640     742  2 12:03 ?        00:00:00  \\_ sshd: root [priv]\nsshd      154641  154640  0 12:03 ?        00:00:00      \\_ sshd: root [net]\nroot      154642  154640  0 12:03 ?        00:00:00      \\_ sh -c sleep 60\nroot      154643  154642  0 12:03 ?        00:00:00          \\_ sleep 60\n<\/pre><\/div>\n\n\n
The 2 processes highlighted above are those related to the Tetragon output. Let’s now see what Tetragon displays in case of a normal ssh connection.<\/p>\n\n\n\n
Tetragon – Normal ssh connection<\/h3>\n\n\n\n
We first need to setup a pair of keys for the root user (to better compare it with the output above):<\/p>\n\n\n
\nroot@Ubuntu22:~# ssh-keygen\n\nroot@Ubuntu22:~# cat ~\/.ssh\/id_rsa.pub > ~\/.ssh\/authorized_keys\n\nroot@Ubuntu22:~# ssh root@127.0.0.1\nWelcome to Ubuntu 22.04.4 LTS (GNU\/Linux 6.5.0-1017-azure x86_64)\n<\/pre><\/div>\n\n\n
For the key generation we use the default folder with no passphase. We see we can connect with the root user to the localhost by using the generated keys. We can then use the same method as above to launch Tetragon and the ps command to capture this ssh connection. Here is what we can see with Tetragon:<\/p>\n\n\n
\n{\n  "process_exec": {\n    "process": {\n      "exec_id": "OjU1ODY3OTQ0NTI0ODY6NDc1MDE=",\n      "pid": 47501,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "arguments": "-D -R",\n      "flags": "execve rootcwd clone",\n      "start_time": "2024-04-23T07:52:52.566318686Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "tid": 47501\n    },\n    "parent": {\n      "exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "pid": 742,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "flags": "procFS auid rootcwd",\n      "start_time": "2024-04-23T06:19:59.931865800Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjM4MDAwMDAwMDox",\n      "tid": 742\n    }\n  },\n  "time": "2024-04-23T07:52:52.566318386Z"\n}\n\n{\n  "process_exec": {\n    "process": {\n      "exec_id": "OjU1ODgxMzk5MjM5NjA6NDc2MDQ=",\n      "pid": 47604,\n      "uid": 0,\n      "cwd": "\/root",\n      "binary": "\/bin\/bash",\n      "flags": "execve clone",\n      "start_time": "2024-04-23T07:52:53.911790360Z",\n      "auid": 0,\n      "parent_exec_id": "OjU1ODY3OTQ0NTI0ODY6NDc1MDE=",\n      "tid": 47604\n    },\n    "parent": {\n      "exec_id": "OjU1ODY3OTQ0NTI0ODY6NDc1MDE=",\n      "pid": 47501,\n      "uid": 0,\n      "cwd": "\/",\n      "binary": "\/usr\/sbin\/sshd",\n      "arguments": "-D -R",\n      "flags": "execve rootcwd clone",\n      "start_time": "2024-04-23T07:52:52.566318686Z",\n      "auid": 4294967295,\n      "parent_exec_id": "OjE0MTYwMDAwMDAwOjc0Mg==",\n      "tid": 47501\n    }\n  },\n  "time": "2024-04-23T07:52:53.911789660Z"\n}\n<\/pre><\/div>\n\n\n
And the output of the corresponding ps command:<\/p>\n\n\n
\nazureuser@Ubuntu22:~$ ps -ef --forest\nroot         742       1  0 06:19 ?        00:00:00 sshd: \/usr\/sbin\/sshd -D [listener] 0 of 10-100 startups\nroot       45501     742 10 07:49 ?        00:00:00  \\_ sshd: root@pts\/1\nroot       47604   45501  0 07:49 pts\/1    00:00:00      \\_ -bash\n<\/pre><\/div>\n\n\n
You can see there is a difference but it is not easy to spot! In the normal connection it launches a bash<\/strong> under sshd and through the backdoor it is running a command with sh<\/strong> instead.<\/p>\n\n\n\n
Wrap up<\/h2>\n\n\n\n
We have seen how we can leverage Tetragon to observe anything happening on this machine. Even for unknown threats, you get some information but you have to know first how your system is working in very details. You need to have a baseline for each running process on your machine to be able to detect any deviation. That is what we call the Zero Trust strategy and it is the only way to detect such stealthy backdoor.<\/p>\n\n\n\n
It may seem tenuous and it is, however that is how Andres Freund discovered it when he noticed ssh was several milliseconds slower than it should. The famous adage says that the devil is in the detail, this backdoor discovery proves that this is especially true when it comes to security.<\/p>\n","protected":false},"excerpt":{"rendered":"
How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.<\/p>\n","protected":false},"author":109,"featured_media":32798,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1320,1504,149],"tags":[2667,601,2564,3344],"type_dbi":[3017,3016,3289,3345],"class_list":["post-32762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-docker","category-security","tag-devops-2","tag-docker","tag-security-3","tag-tetragon","type-devops","type-docker","type-security","type-tetragon"],"acf":[],"yoast_head":"\nDetect XZ Utils CVE 2024-3094 with Tetragon - dbi Blog<\/title>\n<meta name=\"description\" content=\"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detect XZ Utils CVE 2024-3094 with Tetragon\" \/>\n<meta property=\"og:description\" content=\"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-24T07:21:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-24T07:21:26+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"DevOps\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DevOps\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\"},\"author\":{\"name\":\"DevOps\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\"},\"headline\":\"Detect XZ Utils CVE 2024-3094 with Tetragon\",\"datePublished\":\"2024-04-24T07:21:23+00:00\",\"dateModified\":\"2024-04-24T07:21:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\"},\"wordCount\":999,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg\",\"keywords\":[\"devops\",\"Docker\",\"Security\",\"tetragon\"],\"articleSection\":[\"DevOps\",\"Docker\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\",\"name\":\"Detect XZ Utils CVE 2024-3094 with Tetragon - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg\",\"datePublished\":\"2024-04-24T07:21:23+00:00\",\"dateModified\":\"2024-04-24T07:21:26+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\"},\"description\":\"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detect XZ Utils CVE 2024-3094 with Tetragon\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\",\"name\":\"DevOps\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"caption\":\"DevOps\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/devops\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Detect XZ Utils CVE 2024-3094 with Tetragon - dbi Blog","description":"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/","og_locale":"en_US","og_type":"article","og_title":"Detect XZ Utils CVE 2024-3094 with Tetragon","og_description":"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.","og_url":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/","og_site_name":"dbi Blog","article_published_time":"2024-04-24T07:21:23+00:00","article_modified_time":"2024-04-24T07:21:26+00:00","og_image":[{"width":1024,"height":1024,"url":"http:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg","type":"image\/jpeg"}],"author":"DevOps","twitter_card":"summary_large_image","twitter_misc":{"Written by":"DevOps","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/"},"author":{"name":"DevOps","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735"},"headline":"Detect XZ Utils CVE 2024-3094 with Tetragon","datePublished":"2024-04-24T07:21:23+00:00","dateModified":"2024-04-24T07:21:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/"},"wordCount":999,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg","keywords":["devops","Docker","Security","tetragon"],"articleSection":["DevOps","Docker","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/","url":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/","name":"Detect XZ Utils CVE 2024-3094 with Tetragon - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg","datePublished":"2024-04-24T07:21:23+00:00","dateModified":"2024-04-24T07:21:26+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735"},"description":"How to use Tetragon to detect XZ Utils backdoor CVE 2024-3094 before it was known. Apply the Zero Trust security strategy.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/04\/Evil_Fawkes1.jpeg","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/detect-xz-utils-cve-2024-3094-with-tetragon\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Detect XZ Utils CVE 2024-3094 with Tetragon"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735","name":"DevOps","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","caption":"DevOps"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/devops\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/32762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=32762"}],"version-history":[{"count":21,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/32762\/revisions"}],"predecessor-version":[{"id":32847,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/32762\/revisions\/32847"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media\/32798"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=32762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=32762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=32762"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=32762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}