Skip to content

K8S and Docker Vulnerability Check for CVE-2024-3094

Notifications You must be signed in to change notification settings

teyhouse/CVE-2024-3094

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.
This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. This Repository contains two quick scripts in order to check your Kubernetes Pods and Docker Containers against the vulnerable very recent version of liblzma5 - 5.6.0 or 5.6.1.

Credits towards https://www.openwall.com/lists/oss-security/2024/03/29/4 for the detection-script I used as a base.

For more details please check:
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/

Testing

If you are looking for an actual vulnerable container for testing:
https://hub.docker.com/layers/library/debian/experimental-20240311/images/sha256-81992d9d8eb99b5cde98ba557a38a171e047b222a767dc7ec0ffe0a194b1c469?context=explore

Create an SBOM with Trivy:
trivy image --format cyclonedx --output result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970

Check for liblzma5: cat result.json | grep liblzma5 "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", "name": "liblzma5", "purl": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", "value": "[email protected]" "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", "ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-trixie%2Fsid", sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970

Disclaimer

Using manual scripts to check for vulnerabilities across containers, while informative, is not optimal and lacks the scalability, thoroughness, and real-time monitoring capabilities of a comprehensive Cloud Native Application Protection Platform (CNAPP) such as Falco.
CNAPPs offer automated, continuous security assessment and policy enforcement across your cloud-native stack, ensuring more robust security posture management with minimal manual intervention.

About

K8S and Docker Vulnerability Check for CVE-2024-3094

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages