Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/felipecosta09/cve-2024-3094

A tutorial on how to detect the CVE 2024-3094
https://github.com/felipecosta09/cve-2024-3094

containers containersecurity cve20243094 trendmicro visionone vulnerability

Last synced: 2 months ago
JSON representation

A tutorial on how to detect the CVE 2024-3094

Awesome Lists containing this project

README

        

# How to detect the CVE-2024-3094

I'll walk through the step-by-step process of detecting CVE-2024-3094, commonly known as the XZ Backdoor, in containers using Trend Micro's Vision One TMAS (CLI). This vulnerability presents significant risks to containerized environments, and with the right tools and procedures, we can identify and mitigate these threats effectively. Let's get started.

## Requirements

- Have a [Vision One](https://www.trendmicro.com/visionone) account. [Sign up for a free trial now](https://resources.trendmicro.com/vision-one-trial.html) if it's not already the case!
- An [API key](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-__api-keys-2) in Vision One with **Run artifact scan** permissions and apply the role to the API key;
- A container image with the CVE-2024-3094 vulnerability. You can use the following image for testing purposes: `ghcr.io/felipecosta09/cve-2024-3094:latest`.

## Step 1: Install the Vision One TMAS CLI

To install the CLI you can follow the steps in the [official documentation](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-tmas-about). or you can use the script below:

```bash
curl -s -L https://gist.githubusercontent.com/felipecosta09/a3d0cf68f4e85fc53bd6d295c1bb2c5b/raw/fafd525ef1bccfe7a460ec29e5f6d8aca397448a/tmas_install.sh | bash
```
The script will download the latest version of the CLI and install it on your system.

## Step 2: Authenticate with the Vision One API KEY

To authenticate with the Vision One API KEY, you can use the following command:

```bash
export TMAS_API_KEY=
```

## Step 3: Scan the container image

Now that you have the CLI installed and authenticated, you can scan the container image for the CVE-2024-3094 vulnerability using the following command:

```bash
tmas scan docker:ghcr.io/felipecosta09/cve-2024-3094
```

The command will return the scan results, and you can see if the image has the CVE-2024-3094 vulnerability.

```json
{
"totalVulnCount": 56,
"criticalCount": 1,
"highCount": 0,
"mediumCount": 4,
"lowCount": 1,
"negligibleCount": 43,
"unknownCount": 7,
"overriddenCount": 0,
"findings": {
"Critical": [
{
"name": "liblzma5",
"type": "deb",
"version": "5.6.0-0.2",
"id": "CVE-2024-3094",
"source": "https://security-tracker.debian.org/tracker/CVE-2024-3094",
"severity": "Critical",
"fix": "5.6.1+really5.4.5-1",
"locations": [
"/usr/share/doc/liblzma5/copyright",
"/var/lib/dpkg/info/liblzma5:amd64.md5sums",
"/var/lib/dpkg/status"
],
"cvssSummaries": [],
"relatedVulnerabilities": [
{
"id": "CVE-2024-3094",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
"severity": "Critical",
"cvssSummaries": [
{
"cvssVersion": "3.1",
"cvssAttackVector": "N",
"cvssAttackComplexity": "L",
"cvssAvailabilityImpact": "H"
},
{
"cvssVersion": "3.1",
"cvssAttackVector": "N",
"cvssAttackComplexity": "L",
"cvssAvailabilityImpact": "H"
}
]
}
]
}
]
```

PS.: The default region is `us` if you are using another region, you can set the region using the `-r` flag. For more information you can also use the `--help` flag.

# Automating the scan process

If you want an even easier way to to know if your image or any image has the CVE-2024-3094 vulnerability, you can use the script cve2024-3094.sh. The script will scan the image and return the results.

```bash
./cve2024-3094.sh
Enter the image name and tag
ghcr.io/felipecosta09/cve-2024-3094
Scanning the image ghcr.io/felipecosta09/cve-2024-3094:latest
CVE-2024-3094 IT IS present in the image ghcr.io/felipecosta09/cve-2024-3094:latest
```