Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.
This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. This Repository contains two quick scripts in order to check your Kubernetes Pods and Docker Containers against the vulnerable very recent version of liblzma5 - 5.6.0 or 5.6.1.
Credits towards https://www.openwall.com/lists/oss-security/2024/03/29/4 for the detection-script I used as a base.
For more details please check:
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
If you are looking for an actual vulnerable container for testing:
https://hub.docker.com/layers/library/debian/experimental-20240311/images/sha256-81992d9d8eb99b5cde98ba557a38a171e047b222a767dc7ec0ffe0a194b1c469?context=explore
Create an SBOM with Trivy:
trivy image --format cyclonedx --output result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970
Check for liblzma5:
cat result.json | grep liblzma5 "bom-ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", "name": "liblzma5", "purl": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", "value": "liblzma5@5.6.0-0.2" "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", "ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid", sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970
Using manual scripts to check for vulnerabilities across containers, while informative, is not optimal and lacks the scalability, thoroughness, and real-time monitoring capabilities of a comprehensive Cloud Native Application Protection Platform (CNAPP) such as Falco.
CNAPPs offer automated, continuous security assessment and policy enforcement across your cloud-native stack, ensuring more robust security posture management with minimal manual intervention.