Share
## https://sploitus.com/exploit?id=C9671703-410D-53CC-A475-F55DD1BF1FA5
# CVE-2024-3094
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.  
This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. This Repository contains two quick scripts in order to check your Kubernetes Pods and Docker Containers against the vulnerable very recent version of liblzma5 - 5.6.0 or 5.6.1.  
  
Credits towards https://www.openwall.com/lists/oss-security/2024/03/29/4 for the detection-script I used as a base.  
  
For more details please check:  
https://nvd.nist.gov/vuln/detail/CVE-2024-3094  
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27  
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/  
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/  
  
## Testing  
If you are looking for an actual vulnerable container for testing:  
https://hub.docker.com/layers/library/debian/experimental-20240311/images/sha256-81992d9d8eb99b5cde98ba557a38a171e047b222a767dc7ec0ffe0a194b1c469?context=explore  
  
Create an SBOM with Trivy:  
``trivy image --format cyclonedx --output result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970``  
  
Check for liblzma5:
``cat result.json | grep liblzma5
      "bom-ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
      "name": "liblzma5",
      "purl": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
          "value": "liblzma5@5.6.0-0.2"
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
      "ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970``  

## Disclaimer  
Using manual scripts to check for vulnerabilities across containers, while informative, is not optimal and lacks the scalability, thoroughness, and real-time monitoring capabilities of a comprehensive Cloud Native Application Protection Platform (CNAPP) such as Falco.  
CNAPPs offer automated, continuous security assessment and policy enforcement across your cloud-native stack, ensuring more robust security posture management with minimal manual intervention.