How to detect the CVE-2024-3094

I'll walk through the step-by-step process of detecting CVE-2024-3094, commonly known as the XZ Backdoor, in containers using Trend Micro's Vision One TMAS (CLI). This vulnerability presents significant risks to containerized environments, and with the right tools and procedures, we can identify and mitigate these threats effectively. Let's get started.

Requirements

Have a Vision One account. Sign up for a free trial now if it's not already the case!
An API key in Vision One with Run artifact scan permissions and apply the role to the API key;
A container image with the CVE-2024-3094 vulnerability. You can use the following image for testing purposes: ghcr.io/felipecosta09/cve-2024-3094:latest.

Step 1: Install the Vision One TMAS CLI

To install the CLI you can follow the steps in the official documentation. or you can use the script below:

curl -s -L https://gist.githubusercontent.com/felipecosta09/a3d0cf68f4e85fc53bd6d295c1bb2c5b/raw/fafd525ef1bccfe7a460ec29e5f6d8aca397448a/tmas_install.sh | bash

The script will download the latest version of the CLI and install it on your system.

Step 2: Authenticate with the Vision One API KEY

To authenticate with the Vision One API KEY, you can use the following command:

export TMAS_API_KEY=<your_vision_one_api_key>

Step 3: Scan the container image

Now that you have the CLI installed and authenticated, you can scan the container image for the CVE-2024-3094 vulnerability using the following command:

tmas scan docker:ghcr.io/felipecosta09/cve-2024-3094

The command will return the scan results, and you can see if the image has the CVE-2024-3094 vulnerability.

{
  "totalVulnCount": 56,
  "criticalCount": 1,
  "highCount": 0,
  "mediumCount": 4,
  "lowCount": 1,
  "negligibleCount": 43,
  "unknownCount": 7,
  "overriddenCount": 0,
  "findings": {
    "Critical": [
      {
        "name": "liblzma5",
        "type": "deb",
        "version": "5.6.0-0.2",
        "id": "CVE-2024-3094",
        "source": "https://security-tracker.debian.org/tracker/CVE-2024-3094",
        "severity": "Critical",
        "fix": "5.6.1+really5.4.5-1",
        "locations": [
          "/usr/share/doc/liblzma5/copyright",
          "/var/lib/dpkg/info/liblzma5:amd64.md5sums",
          "/var/lib/dpkg/status"
        ],
        "cvssSummaries": [],
        "relatedVulnerabilities": [
          {
            "id": "CVE-2024-3094",
            "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
            "severity": "Critical",
            "cvssSummaries": [
              {
                "cvssVersion": "3.1",
                "cvssAttackVector": "N",
                "cvssAttackComplexity": "L",
                "cvssAvailabilityImpact": "H"
              },
              {
                "cvssVersion": "3.1",
                "cvssAttackVector": "N",
                "cvssAttackComplexity": "L",
                "cvssAvailabilityImpact": "H"
              }
            ]
          }
        ]
      }
    ]

PS.: The default region is us if you are using another region, you can set the region using the -r flag. For more information you can also use the --help flag.

Automating the scan process

If you want an even easier way to to know if your image or any image has the CVE-2024-3094 vulnerability, you can use the script cve2024-3094.sh. The script will scan the image and return the results.

./cve2024-3094.sh
Enter the image name and tag
ghcr.io/felipecosta09/cve-2024-3094
Scanning the image ghcr.io/felipecosta09/cve-2024-3094:latest
CVE-2024-3094 IT IS present in the image ghcr.io/felipecosta09/cve-2024-3094:latest

felipecosta09 / cve-2024-3094