Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source
https://github.com/felipecosta09/cve-2024-3094
Associated Vulnerability
Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Description
A tutorial on how to detect the CVE 2024-3094
Readme
# How to detect the CVE-2024-3094

I'll walk through the step-by-step process of detecting CVE-2024-3094, commonly known as the XZ Backdoor, in containers using Trend Micro's Vision One TMAS (CLI). This vulnerability presents significant risks to containerized environments, and with the right tools and procedures, we can identify and mitigate these threats effectively. Let's get started.

## Requirements

- Have a [Vision One](https://www.trendmicro.com/visionone) account. [Sign up for a free trial now](https://resources.trendmicro.com/vision-one-trial.html) if it's not already the case!
- An [API key](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-__api-keys-2) in Vision One with **Run artifact scan** permissions and apply the role to the API key;
- A container image with the CVE-2024-3094 vulnerability. You can use the following image for testing purposes: `ghcr.io/felipecosta09/cve-2024-3094:latest`.

## Step 1: Install the Vision One TMAS CLI

To install the CLI you can follow the steps in the [official documentation](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-tmas-about). or you can use the script below:
  
  ```bash
  curl -s -L https://gist.githubusercontent.com/felipecosta09/a3d0cf68f4e85fc53bd6d295c1bb2c5b/raw/fafd525ef1bccfe7a460ec29e5f6d8aca397448a/tmas_install.sh | bash
  ```
The script will download the latest version of the CLI and install it on your system.

## Step 2: Authenticate with the Vision One API KEY

To authenticate with the Vision One API KEY, you can use the following command:

```bash
export TMAS_API_KEY=<your_vision_one_api_key>
```

## Step 3: Scan the container image

Now that you have the CLI installed and authenticated, you can scan the container image for the CVE-2024-3094 vulnerability using the following command:

```bash
tmas scan docker:ghcr.io/felipecosta09/cve-2024-3094
```

The command will return the scan results, and you can see if the image has the CVE-2024-3094 vulnerability.

```json
{
  "totalVulnCount": 56,
  "criticalCount": 1,
  "highCount": 0,
  "mediumCount": 4,
  "lowCount": 1,
  "negligibleCount": 43,
  "unknownCount": 7,
  "overriddenCount": 0,
  "findings": {
    "Critical": [
      {
        "name": "liblzma5",
        "type": "deb",
        "version": "5.6.0-0.2",
        "id": "CVE-2024-3094",
        "source": "https://security-tracker.debian.org/tracker/CVE-2024-3094",
        "severity": "Critical",
        "fix": "5.6.1+really5.4.5-1",
        "locations": [
          "/usr/share/doc/liblzma5/copyright",
          "/var/lib/dpkg/info/liblzma5:amd64.md5sums",
          "/var/lib/dpkg/status"
        ],
        "cvssSummaries": [],
        "relatedVulnerabilities": [
          {
            "id": "CVE-2024-3094",
            "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
            "severity": "Critical",
            "cvssSummaries": [
              {
                "cvssVersion": "3.1",
                "cvssAttackVector": "N",
                "cvssAttackComplexity": "L",
                "cvssAvailabilityImpact": "H"
              },
              {
                "cvssVersion": "3.1",
                "cvssAttackVector": "N",
                "cvssAttackComplexity": "L",
                "cvssAvailabilityImpact": "H"
              }
            ]
          }
        ]
      }
    ]
```

PS.: The default region is `us` if you are using another region, you can set the region using the `-r` flag. For more information you can also use the `--help` flag.

# Automating the scan process

If you want an even easier way to to know if your image or any image has the CVE-2024-3094 vulnerability, you can use the script cve2024-3094.sh. The script will scan the image and return the results.

```bash
./cve2024-3094.sh
Enter the image name and tag
ghcr.io/felipecosta09/cve-2024-3094
Scanning the image ghcr.io/felipecosta09/cve-2024-3094:latest
CVE-2024-3094 IT IS present in the image ghcr.io/felipecosta09/cve-2024-3094:latest
```
File Snapshot

 [4.0K]  /data/pocs/2fa6ed0192acb0d76fcda407eb2c5c8cb0533a75
├── [1.9K]  cve2024-3094.sh
├── [ 272]  Dockerfile
├── [ 11K]  LICENSE
└── [3.9K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →