关联漏洞
描述
A tutorial on how to detect the CVE 2024-3094
介绍
# How to detect the CVE-2024-3094
I'll walk through the step-by-step process of detecting CVE-2024-3094, commonly known as the XZ Backdoor, in containers using Trend Micro's Vision One TMAS (CLI). This vulnerability presents significant risks to containerized environments, and with the right tools and procedures, we can identify and mitigate these threats effectively. Let's get started.
## Requirements
- Have a [Vision One](https://www.trendmicro.com/visionone) account. [Sign up for a free trial now](https://resources.trendmicro.com/vision-one-trial.html) if it's not already the case!
- An [API key](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-__api-keys-2) in Vision One with **Run artifact scan** permissions and apply the role to the API key;
- A container image with the CVE-2024-3094 vulnerability. You can use the following image for testing purposes: `ghcr.io/felipecosta09/cve-2024-3094:latest`.
## Step 1: Install the Vision One TMAS CLI
To install the CLI you can follow the steps in the [official documentation](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-tmas-about). or you can use the script below:
```bash
curl -s -L https://gist.githubusercontent.com/felipecosta09/a3d0cf68f4e85fc53bd6d295c1bb2c5b/raw/fafd525ef1bccfe7a460ec29e5f6d8aca397448a/tmas_install.sh | bash
```
The script will download the latest version of the CLI and install it on your system.
## Step 2: Authenticate with the Vision One API KEY
To authenticate with the Vision One API KEY, you can use the following command:
```bash
export TMAS_API_KEY=<your_vision_one_api_key>
```
## Step 3: Scan the container image
Now that you have the CLI installed and authenticated, you can scan the container image for the CVE-2024-3094 vulnerability using the following command:
```bash
tmas scan docker:ghcr.io/felipecosta09/cve-2024-3094
```
The command will return the scan results, and you can see if the image has the CVE-2024-3094 vulnerability.
```json
{
"totalVulnCount": 56,
"criticalCount": 1,
"highCount": 0,
"mediumCount": 4,
"lowCount": 1,
"negligibleCount": 43,
"unknownCount": 7,
"overriddenCount": 0,
"findings": {
"Critical": [
{
"name": "liblzma5",
"type": "deb",
"version": "5.6.0-0.2",
"id": "CVE-2024-3094",
"source": "https://security-tracker.debian.org/tracker/CVE-2024-3094",
"severity": "Critical",
"fix": "5.6.1+really5.4.5-1",
"locations": [
"/usr/share/doc/liblzma5/copyright",
"/var/lib/dpkg/info/liblzma5:amd64.md5sums",
"/var/lib/dpkg/status"
],
"cvssSummaries": [],
"relatedVulnerabilities": [
{
"id": "CVE-2024-3094",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
"severity": "Critical",
"cvssSummaries": [
{
"cvssVersion": "3.1",
"cvssAttackVector": "N",
"cvssAttackComplexity": "L",
"cvssAvailabilityImpact": "H"
},
{
"cvssVersion": "3.1",
"cvssAttackVector": "N",
"cvssAttackComplexity": "L",
"cvssAvailabilityImpact": "H"
}
]
}
]
}
]
```
PS.: The default region is `us` if you are using another region, you can set the region using the `-r` flag. For more information you can also use the `--help` flag.
# Automating the scan process
If you want an even easier way to to know if your image or any image has the CVE-2024-3094 vulnerability, you can use the script cve2024-3094.sh. The script will scan the image and return the results.
```bash
./cve2024-3094.sh
Enter the image name and tag
ghcr.io/felipecosta09/cve-2024-3094
Scanning the image ghcr.io/felipecosta09/cve-2024-3094:latest
CVE-2024-3094 IT IS present in the image ghcr.io/felipecosta09/cve-2024-3094:latest
```
文件快照
[4.0K] /data/pocs/2fa6ed0192acb0d76fcda407eb2c5c8cb0533a75
├── [1.9K] cve2024-3094.sh
├── [ 272] Dockerfile
├── [ 11K] LICENSE
└── [3.9K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。