{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/linux/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kubernetes","kubelet","lateral-movement","discovery","execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential direct Kubelet API access attempts on Linux systems. The Kubelet, acting as the primary node agent, exposes an API accessible via ports 10250 and 10255. Attackers may exploit this API to enumerate pods, fetch logs, or even attempt remote execution. This access can lead to significant breaches in Kubernetes environments, facilitating discovery, lateral movement, and ultimately, compromise of sensitive data or control over cluster resources. The detection focuses on identifying process executions where the command-line arguments contain URLs targeting these Kubelet ports, indicating a potential attempt to interact with the Kubelet API directly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the Kubernetes cluster or a host with network access to the Kubelet ports.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or similar tools to craft an HTTP request targeting the Kubelet API on ports 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe request includes a path like \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/runningpods\u003c/code\u003e, \u003ccode\u003e/metrics\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, or \u003ccode\u003e/containerLogs\u003c/code\u003e to gather information about the cluster\u0026rsquo;s state and configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker examines the response to identify potential targets for lateral movement, such as specific pods or containers of interest.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within a container using the \u003ccode\u003e/exec\u003c/code\u003e endpoint, potentially leveraging exposed service account tokens or other credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered information to move laterally to other pods or nodes within the cluster, escalating privileges as they go.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises sensitive data or critical applications running within the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full cluster compromise. Attackers can gain unauthorized access to sensitive data, disrupt critical applications, and move laterally to other resources within the Kubernetes environment. This could lead to significant financial losses, reputational damage, and legal liabilities. The potential impact includes data breaches, denial of service, and complete control over the Kubernetes infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubelet API Access via Process Arguments\u003c/code\u003e to your SIEM to detect suspicious process executions.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports 10250/10255 at the network layer to limit pod-to-node or host-to-node traffic as recommended in the overview section.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet configuration by disabling anonymous authentication and enforcing webhook authentication/authorization as described in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:18:23Z","date_published":"2026-05-04T21:18:23Z","id":"/briefs/2024-01-09-kubelet-access/","summary":"This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.","title":"Potential Direct Kubelet API Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xz"],"_cs_severities":["critical"],"_cs_tags":["xz","code-execution","linux"],"_cs_type":"advisory","_cs_vendors":["xz"],"content_html":"\u003cp\u003eA vulnerability exists within the xz compression utility that allows for arbitrary code execution. While the specific details of the vulnerability are not disclosed in this advisory, the potential impact is severe. An unauthenticated, remote attacker can leverage this flaw to execute code on a vulnerable system. The affected component is the xz utility, a widely used data compression tool in Linux distributions. Defenders should assume a broad potential impact, including data compromise, system instability, and potential for lateral movement within a compromised network. The lack of detailed information necessitates immediate investigation and patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable system running the xz utility.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload designed to exploit the undisclosed vulnerability within xz.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious payload to the vulnerable system. The specific delivery mechanism is not detailed (e.g., network service, malicious file).\u003c/li\u003e\n\u003cli\u003eThe xz utility processes the malicious payload, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the attacker gains the ability to execute arbitrary code on the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the xz process, potentially allowing for elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install a backdoor or other persistent mechanism to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems on the network or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the targeted system. This can lead to complete system compromise, data theft, and further malicious activities within the network. Given the widespread use of the xz utility, a large number of systems are potentially vulnerable. The impact could range from disruption of services to significant data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate systems running the xz utility for suspicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unexpected activity originating from the xz utility using process_creation logs.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to identify suspicious connections originating from systems where xz is used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T09:34:36Z","date_published":"2026-05-04T09:34:36Z","id":"/briefs/2026-05-xz-code-execution/","summary":"A remote, anonymous attacker can exploit a vulnerability in the xz utility to achieve arbitrary code execution on affected systems.","title":"XZ Utility Vulnerability Allows Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-xz-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","sentinel_one_cloud_funnel","crowdstrike.fdr"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule monitors for a specific sequence of commands on Linux systems that could indicate an attempt to escape a containerized environment. The attack involves first mounting a file system, typically targeting the host\u0026rsquo;s root file system, and then using the \u003ccode\u003echroot\u003c/code\u003e command to change the root directory. This combination, if successful, allows an attacker inside a container to gain unauthorized access to the host system. The rule is designed to identify this uncommon behavior pattern, which is a strong indicator of malicious activity. The rule is applicable to environments utilizing Elastic Defend, SentinelOne Cloud Funnel, and Crowdstrike FDR. The detection looks for this sequence occurring within a 5-minute timeframe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through exploiting a vulnerability or misconfiguration in the application running within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to mount the host\u0026rsquo;s root filesystem within the container using the \u003ccode\u003emount\u003c/code\u003e command, often targeting \u003ccode\u003e/dev/sd*\u003c/code\u003e devices. This requires sufficient privileges within the container, or the exploitation of a container escape vulnerability to gain such privileges.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emount\u003c/code\u003e command is executed with arguments specifying the device to mount and the mount point within the container\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the \u003ccode\u003echroot\u003c/code\u003e command, changing the root directory of the current process to the mounted host\u0026rsquo;s root filesystem.\u003c/li\u003e\n\u003cli\u003eAfter successfully executing \u003ccode\u003echroot\u003c/code\u003e, the attacker\u0026rsquo;s perspective shifts to the host\u0026rsquo;s file system, allowing them to access and modify sensitive files and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their newly acquired access to install backdoors, create new user accounts with elevated privileges, or modify system configurations to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other containers or systems within the network, leveraging their compromised position on the host.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain complete control over the host system and potentially the entire infrastructure, leading to data exfiltration, system disruption, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can have severe consequences, potentially leading to complete compromise of the host system and the data it contains. Depending on the environment, this could affect a single server or spread to many hosts. The compromise of containerized environments can lead to data breaches, service disruption, and reputational damage. Given the sensitive nature of data often processed within containers, the impact can range from financial losses to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential container escapes.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect process data, and ensure Session View data is enabled to enhance visibility as mentioned in the setup guide.\u003c/li\u003e\n\u003cli\u003eReview and harden container configurations to minimize privileges granted to containerized processes, reducing the attack surface for escape attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential for lateral movement following a successful container escape.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for unusual mount and chroot command sequences within container environments using Elastic Defend, SentinelOne, and Crowdstrike logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2024-01-chroot-container-escape/","summary":"The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.","title":"Potential Chroot Container Escape via Mount","url":"https://feed.craftedsignal.io/briefs/2024-01-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux","chroot"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of the \u003ccode\u003echroot\u003c/code\u003e command being executed within a Linux containerized environment. It leverages process execution telemetry from Elastic Defend and Auditd Manager to detect potential container escape attempts. The rule focuses on processes where the name is \u003ccode\u003echroot\u003c/code\u003e or the command-line arguments contain \u003ccode\u003echroot\u003c/code\u003e. Container context is determined by identifying processes with a title matching \u003ccode\u003erunc init\u003c/code\u003e, a container workload entry leader, or \u003ccode\u003erunc\u003c/code\u003e as the parent process. Successful container escapes can allow attackers to gain unauthorized access to the host system. The technique is often combined with sensitive host mounts, which are then leveraged after the \u003ccode\u003echroot\u003c/code\u003e to access files and processes outside the container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, potentially through exploiting a vulnerability in the containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies sensitive host mounts within the container\u0026rsquo;s filesystem, such as \u003ccode\u003e/host\u003c/code\u003e, \u003ccode\u003e/proc/1/root\u003c/code\u003e, or other unexpected node paths.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003echroot\u003c/code\u003e command, specifying an alternate root filesystem, typically a host-linked mount.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echroot\u003c/code\u003e command redirects system calls to the new root filesystem, effectively isolating the attacker from the container\u0026rsquo;s original environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the new root filesystem to access files, directories, and processes on the host system outside the container\u0026rsquo;s boundaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escalate privileges by exploiting vulnerabilities in host system services or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware or establish persistence mechanisms on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised host system to pivot to other systems on the network or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can lead to full compromise of the underlying host system, potentially impacting all containers running on the same host. This can enable attackers to access sensitive data, disrupt services, and move laterally within the network. In multi-tenant environments, a container escape can compromise the security of other tenants sharing the same infrastructure. A single successful container escape can lead to a widespread breach impacting numerous systems and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChroot Execution in Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process execution telemetry from Elastic Defend and Auditd Manager on Linux to ensure the required data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the \u003ccode\u003echroot\u003c/code\u003e execution was authorized and the target directory is an internal build root versus a host filesystem mount.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on shell execution, access to the container runtime socket, or kubelet credential paths, as these are common indicators of container escape attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2026-05-chroot-container-escape/","summary":"Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.","title":"Chroot Execution in Container Context on Linux","url":"https://feed.craftedsignal.io/briefs/2026-05-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential privilege escalation attempts on Linux systems by monitoring for processes with a root effective user ID (EUID) but a non-root real user ID (RUID), combined with the use of the \u003ccode\u003e-p\u003c/code\u003e flag (commonly used to preserve privileges in shells like bash or dash) and execution from a non-standard path (outside of \u003ccode\u003e/bin\u003c/code\u003e, \u003ccode\u003e/sbin\u003c/code\u003e, \u003ccode\u003e/usr/bin\u003c/code\u003e, etc.).  Attackers may copy or link setuid-capable shells or similar helpers into writable locations to regain a root context after local exploitation. This behavior is often associated with post-exploitation activities where attackers attempt to maintain or regain elevated privileges.  The rule relies on Auditd data to provide visibility into process execution events and user context. The original rule was published on 2026-04-24 by Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with limited privileges (e.g., through exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a writable directory outside of standard system binary paths (e.g., \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker copies or creates a symbolic link to a setuid-capable shell (e.g., \u003ccode\u003e/bin/bash\u003c/code\u003e, \u003ccode\u003e/bin/dash\u003c/code\u003e) into the identified writable directory. This copied shell retains the setuid bit.\u003c/li\u003e\n\u003cli\u003eAttacker executes the copied or linked shell from the non-standard path with the \u003ccode\u003e-p\u003c/code\u003e flag (e.g., \u003ccode\u003e/tmp/bash -p\u003c/code\u003e). The \u003ccode\u003e-p\u003c/code\u003e flag instructs the shell to preserve privileges, effectively running with the effective user ID (EUID) of root.\u003c/li\u003e\n\u003cli\u003eAuditd logs this process execution event, capturing the non-standard path, the use of the \u003ccode\u003e-p\u003c/code\u003e flag, the root EUID, and the non-root RUID.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the process execution event based on the criteria outlined above.\u003c/li\u003e\n\u003cli\u003eAttacker now has a root shell and can perform administrative tasks, install malware, or further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack can grant an attacker complete control over the compromised system. This allows them to access sensitive data, install malicious software, modify system configurations, and potentially pivot to other systems on the network. This can lead to data breaches, system downtime, and significant financial losses.  The risk score for this type of activity is considered high due to the potential for significant impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Root Effective Shell from Non-Standard Path via Auditd\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure that Auditd Manager or Auditbeat is properly configured to collect process execution events with relevant fields (\u003ccode\u003eevent.action\u003c/code\u003e, \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003euser.effective.id\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, and \u003ccode\u003eprocess.executable\u003c/code\u003e) as described in the rule setup to enable the rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by inspecting \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, \u003ccode\u003eprocess.parent\u003c/code\u003e, and the full command line reconstructed in audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly audit all setuid binaries on the filesystem to identify any unauthorized or malicious setuid executables.\u003c/li\u003e\n\u003cli\u003eImplement access controls and file integrity monitoring to prevent unauthorized modification of system binaries and writable directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T09:51:29Z","date_published":"2026-05-01T09:51:29Z","id":"/briefs/2024-01-potential-root-effective-shell/","summary":"This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.","title":"Potential Root Effective Shell from Non-Standard Path via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-root-effective-shell/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","vulnerability","cve-2026-31431"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eCVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the \u003ccode\u003eauthencesn\u003c/code\u003e AEAD path through AF_ALG and \u003ccode\u003esplice()\u003c/code\u003e. Public exploitation targets setuid-root binaries such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == \u0026ldquo;socket\u0026rdquo; and auditd.data.a0 == \u0026ldquo;26\u0026rdquo;) or splice operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the targeted setuid-root binary (e.g., \u003ccode\u003e/usr/bin/su\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe process transitions to a root UID, indicating successful privilege escalation.\u003c/li\u003e\n\u003cli\u003eA root shell is spawned, providing the attacker with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises the entire host or node, especially in containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst\u0026rdquo; to detect initial exploitation attempts based on AF_ALG socket activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation\u0026rdquo; to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.\u003c/li\u003e\n\u003cli\u003eImmediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eUntil patching is possible, consider blocking \u003ccode\u003ealgif_aead\u003c/code\u003e module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.\u003c/li\u003e\n\u003cli\u003eAdd audit rules for \u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003esplice\u003c/code\u003e, and \u003ccode\u003ebind\u003c/code\u003e events as described in the rule\u0026rsquo;s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T16:24:01Z","date_published":"2026-04-30T16:24:01Z","id":"/briefs/2024-01-cve-2026-31431-exploitation/","summary":"This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.","title":"Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31431-exploitation/"},{"_cs_actors":["Theori"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Linux kernel","Ubuntu 24.04 LTS","Amazon Linux 2023","RHEL 10.1","SUSE 16"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","vulnerability"],"_cs_type":"threat","_cs_vendors":["Theori","Ubuntu","Amazon","Red Hat","SUSE","Linux"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, \u0026ldquo;Copy Fail\u0026rdquo; (CVE-2026-31431), impacts Linux kernels released since 2017. Discovered by Theori\u0026rsquo;s AI-driven pentesting platform Xint Code, the vulnerability allows an unprivileged local attacker to gain root permissions. Theori reported the finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. A proof-of-concept exploit was published, demonstrating a 732-byte script that can root every Linux distribution shipped since 2017. This vulnerability stems from a logic bug in the Linux kernel\u0026rsquo;s authencesn cryptographic template. Theori demonstrated successful exploits on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged local attacker gains access to a vulnerable Linux system.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eAF_ALG\u003c/code\u003e socket-based interface to access Linux kernel crypto functions from user space.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003esplice()\u003c/code\u003e system call to perform a controlled 4-byte write in the page cache of a readable file, instead of a normal buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker targets a setuid-root binary file for modification.\u003c/li\u003e\n\u003cli\u003eThe 4-byte write alters the behavior of the setuid-root binary.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the modified setuid-root binary.\u003c/li\u003e\n\u003cli\u003eDue to the altered behavior, the binary grants the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Copy Fail vulnerability (CVE-2026-31431) allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. Theori demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, highlighting the widespread impact. Multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS environments running user code are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available kernel patches for CVE-2026-31431 on affected Linux distributions, prioritizing multi-tenant environments (e.g., Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16).\u003c/li\u003e\n\u003cli\u003eAs an interim mitigation, disable the vulnerable crypto interface by blocking \u003ccode\u003eAF_ALG\u003c/code\u003e socket creation or disabling the \u003ccode\u003ealgif_aead\u003c/code\u003e module, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unusual processes after the modification of binaries in \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e using the Sigma rule \u0026ldquo;Detect Suspicious Splice Usage for Privilege Escalation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect algif_aead module removal\u0026rdquo; to detect attempts to disable the vulnerable module.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:54:47Z","date_published":"2026-04-30T13:54:47Z","id":"/briefs/2026-04-copy-fail/","summary":"A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.","title":"Local Privilege Escalation Vulnerability 'Copy Fail' in Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-copy-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CUPS"],"_cs_severities":["high"],"_cs_tags":["cups","privilege-escalation","linux","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA vulnerability exists within the Common Unix Printing System (CUPS), a widely used printing system on Linux and macOS. A local attacker can leverage this flaw to execute arbitrary code with elevated, administrator-level privileges. While the specific details of the vulnerability are not provided in this brief, successful exploitation would grant the attacker full control over the affected system. Apple is the primary maintainer of CUPS. Defenders should focus on identifying and mitigating potential exploitation attempts by monitoring for suspicious CUPS-related processes and file modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial local access to the target system through legitimate means or by exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable CUPS service running on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload designed to exploit the CUPS vulnerability. This payload could be a specially crafted print job or a manipulated configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious payload, triggering the vulnerability in CUPS.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, CUPS executes the attacker\u0026rsquo;s code with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to install persistent backdoors, modify system configurations, or escalate privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network or exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is complete system compromise, data theft, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CUPS vulnerability allows a local attacker to gain complete control over the affected system. This could lead to data theft, system disruption, or the installation of persistent backdoors. The widespread use of CUPS in Linux and macOS environments makes this a significant threat. If successfully exploited, attackers can achieve complete system compromise and potentially move laterally within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious CUPS processes being spawned by unusual parent processes using the \u003ccode\u003eCUPS Spawning Suspicious Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect CUPS configuration files for unauthorized modifications using the \u003ccode\u003eCUPS Configuration File Modification\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexplained privilege escalation events originating from the CUPS service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:43:58Z","date_published":"2026-04-30T09:43:58Z","id":"/briefs/2026-04-cups-privesc/","summary":"A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.","title":"CUPS Vulnerability Allows Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-cups-privesc/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31457"},{"cvss":8.8,"id":"CVE-2026-33208"}],"_cs_exploited":false,"_cs_products":["sudo"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","sudo","linux"],"_cs_type":"advisory","_cs_vendors":["sudo"],"content_html":"\u003cp\u003eMultiple vulnerabilities in sudo allow a local attacker to escalate privileges to root. The vulnerabilities can be exploited locally, requiring an attacker to already have some level of access to the system. The exact nature of these vulnerabilities is not specified in the source material, but the impact is a complete compromise of the affected system. Defenders should implement detections for suspicious sudo usage patterns and ensure sudo is updated to the latest version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an unspecified method (e.g., compromised account, physical access).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable version of sudo installed on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious sudo command or exploits a configuration flaw to leverage one of the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eSudo executes the malicious command with elevated privileges due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to modify system files or execute commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor or creates a new privileged account for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the escalated privileges to access sensitive data or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a local attacker to gain complete control of the affected system. This can lead to data theft, system corruption, or the installation of malware. The number of potential victims is dependent on the number of systems running vulnerable versions of sudo.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for unexpected sudo usage patterns, especially commands run with root privileges that deviate from normal administrative tasks. (See Sigma rule \u0026ldquo;Detect Suspicious Sudo Usage\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable audit logging for sudo to capture detailed information about command execution.\u003c/li\u003e\n\u003cli\u003eRegularly update sudo to the latest version to patch known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:33:58Z","date_published":"2026-04-30T09:33:58Z","id":"/briefs/2026-05-sudo-privesc/","summary":"Multiple vulnerabilities in sudo allow a local attacker to bypass security precautions and escalate privileges to root.","title":"Sudo Privilege Escalation Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-sudo-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PackageKit"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["PackageKit"],"content_html":"\u003cp\u003eA privilege escalation vulnerability exists within PackageKit, a suite of tools designed for software management across various Linux distributions. While specific details regarding the vulnerability are currently limited, the core issue allows a local attacker to elevate their privileges on a vulnerable system. This means an attacker with limited access could potentially gain root or administrator-level control, leading to full system compromise. Defenders need to prioritize detecting and mitigating this vulnerability to prevent potential exploitation and unauthorized access. The scope of this vulnerability impacts systems utilizing PackageKit for software management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial limited access to the target Linux system through legitimate means or by exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the presence of PackageKit on the system and its accessibility to the current user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the PackageKit vulnerability. Due to the lack of specific information on the vulnerability, this could involve manipulating PackageKit\u0026rsquo;s API or command-line interface to perform actions with elevated privileges.\u003c/li\u003e\n\u003cli\u003ePackageKit, due to the vulnerability, incorrectly authorizes the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands or scripts with elevated privileges, such as root.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malicious software or modifies system configurations to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker further compromises the system, gaining access to sensitive data and potentially pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to escalate their privileges to root, resulting in complete system compromise. This could lead to data theft, system disruption, and the installation of malware. The number of victims and specific sectors targeted are currently unknown. However, given the widespread use of PackageKit across various Linux distributions, a successful exploit could have broad implications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for unexpected PackageKit activity initiated by non-root users, using the \u0026ldquo;PackageKit Privilege Escalation - Unexpected Process Invocation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;PackageKit Privilege Escalation - File Modification\u0026rdquo; Sigma rule to detect unauthorized modifications to PackageKit configuration files or binaries.\u003c/li\u003e\n\u003cli\u003eInvestigate any suspicious PackageKit processes identified through monitoring logs, focusing on those running with elevated privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:09:12Z","date_published":"2026-04-30T09:09:12Z","id":"/briefs/2026-04-packagekit-privesc/","summary":"A local attacker can exploit a vulnerability in PackageKit to escalate their privileges on a Linux system.","title":"PackageKit Local Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-packagekit-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Enterprise Linux"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified within the LibRaw component of Red Hat Enterprise Linux. These vulnerabilities, if successfully exploited, could allow an attacker to achieve arbitrary code execution or trigger a denial-of-service (DoS) condition on a vulnerable system. While the specific CVEs are not detailed in the advisory, the high-level threat remains significant, potentially impacting any system relying on the affected LibRaw library for processing raw image data. Defenders should prioritize patching and monitoring systems utilizing LibRaw to mitigate the risks. This advisory serves as an early warning in advance of any detailed technical release; specific exploit methods will become clearer as details emerge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable version of LibRaw within a Red Hat Enterprise Linux system. This may involve scanning for specific LibRaw versions or identifying services reliant on the library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious raw image file designed to exploit a specific vulnerability in LibRaw\u0026rsquo;s parsing logic.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system. This could involve uploading the file to a web server, emailing it as an attachment, or injecting it into a data stream processed by LibRaw.\u003c/li\u003e\n\u003cli\u003eThe vulnerable LibRaw library attempts to process the malicious image file.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (e.g., a buffer overflow or integer overflow), LibRaw crashes, leading to a denial-of-service. Alternatively, the attacker gains control of the program counter.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the LibRaw process, potentially gaining control over the entire system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the initial foothold to escalate privileges and move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to disrupt services and/or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to arbitrary code execution, potentially granting an attacker full control over affected systems. This could result in data breaches, system compromise, and service disruption. A denial-of-service condition could also disrupt critical services reliant on the vulnerable systems. The number of affected systems depends on the prevalence of vulnerable LibRaw versions within Red Hat Enterprise Linux deployments. The specific impact will depend on the privileges of the compromised process and the system\u0026rsquo;s role within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected child processes spawned by applications utilizing LibRaw (see \u0026ldquo;Detect Suspicious Process Creation from LibRaw\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to LibRaw binaries (see \u0026ldquo;Detect LibRaw Binary Modification\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and block any anomalous network connections originating from systems utilizing LibRaw.\u003c/li\u003e\n\u003cli\u003eConsult Red Hat security advisories for specific CVEs and patch information as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T09:54:06Z","date_published":"2026-04-29T09:54:06Z","id":"/briefs/2026-04-rhel-libraw-vulns/","summary":"Multiple vulnerabilities in Red Hat Enterprise Linux's LibRaw component allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.","title":"Red Hat Enterprise Linux LibRaw Multiple Vulnerabilities Allow Code Execution or DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-rhel-libraw-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ProFTPD"],"_cs_severities":["high"],"_cs_tags":["sqli","proftpd","linux"],"_cs_type":"advisory","_cs_vendors":["ProFTPD"],"content_html":"\u003cp\u003eA vulnerability in ProFTPD allows for SQL injection attacks by remote, unauthenticated attackers. The specific flaw and version number are not mentioned in the source, but the generic report indicates a potentially widespread issue affecting publicly accessible ProFTPD servers. Successful exploitation could lead to unauthorized data access, modification, or potentially complete system compromise depending on the database permissions configured for ProFTPD. Defenders should apply all available security patches for ProFTPD.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a ProFTPD server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL injection payload.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted SQL injection payload through a ProFTPD command or parameter.\u003c/li\u003e\n\u003cli\u003eProFTPD processes the malicious payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe payload is passed to the underlying database server.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL command.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data or modifies database records.\u003c/li\u003e\n\u003cli\u003eAttacker may use the gained access to further compromise the server or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability in ProFTPD allows unauthorized access to the underlying database. This can lead to the disclosure of sensitive information, modification of data, or even complete database compromise. The number of victims and sectors targeted are currently unknown, but public-facing ProFTPD servers are at risk. A successful attack could lead to significant data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches for ProFTPD as soon as they are available to remediate SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor ProFTPD logs for suspicious activity and SQL injection attempts (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in ProFTPD configurations.\u003c/li\u003e\n\u003cli\u003eReview database access permissions for the ProFTPD user to minimize the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T09:54:05Z","date_published":"2026-04-29T09:54:05Z","id":"/briefs/2024-01-proftpd-sqli/","summary":"An anonymous remote attacker can exploit a SQL injection vulnerability in ProFTPD.","title":"ProFTPD SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-proftpd-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","linux","sudoers"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe sudoers.d directory on Linux systems is designed to allow administrators to manage sudo privileges by adding individual files rather than modifying the main /etc/sudoers file. An attacker who gains initial access to a system can exploit this by creating or modifying files within this directory to grant themselves or other malicious actors elevated privileges. This can be done to ensure persistent access, even if other initial access methods are detected and remediated. The modification of…\u003c/p\u003e\n","date_modified":"2026-04-27T23:12:30Z","date_published":"2026-04-27T23:12:30Z","id":"/briefs/2026-04-sudoers-persistence/","summary":"Attackers can achieve persistence and privilege escalation on Linux systems by creating or modifying files in the /etc/sudoers.d/ directory to grant unauthorized users or groups sudo privileges.","title":"Linux Persistence via Sudoers.d File Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-04-sudoers-persistence/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ntfs-3g","heap-overflow","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40706 describes a heap buffer overflow vulnerability affecting NTFS-3G, specifically versions 2022.10.3 and earlier, before the patch in version 2026.2.25. The vulnerability lies within the \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function in \u003ccode\u003eacls.c\u003c/code\u003e. An attacker can exploit this flaw by creating a malicious NTFS image. When the affected software attempts to read this specially crafted image, a heap buffer overflow occurs. This is triggered when the software processes a security descriptor containing multiple ACCESS_DENIED Access Control Entries (ACEs), each including WRITE_OWNER permissions, and originating from distinct group Security Identifiers (SIDs). Successful exploitation allows an attacker to corrupt heap memory within the SUID-root ntfs-3g binary, potentially leading to privilege escalation or arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious NTFS image containing a specially designed security descriptor.\u003c/li\u003e\n\u003cli\u003eThe security descriptor includes multiple ACCESS_DENIED ACEs.\u003c/li\u003e\n\u003cli\u003eEach ACE within the descriptor contains WRITE_OWNER permissions.\u003c/li\u003e\n\u003cli\u003eThe ACEs originate from distinct group SIDs, triggering the overflow condition.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious NTFS image to a system running a vulnerable version of NTFS-3G. This may occur through physical media or network shares.\u003c/li\u003e\n\u003cli\u003eThe victim system attempts to read the malicious NTFS image using a vulnerable NTFS-3G version, such as during a \u003ccode\u003estat\u003c/code\u003e, \u003ccode\u003ereaddir\u003c/code\u003e, or \u003ccode\u003eopen\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function is called to process the security descriptor.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow occurs during the processing of the malicious ACEs, corrupting heap memory. This can lead to denial of service or potentially arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40706 allows for heap memory corruption in the ntfs-3g binary, which runs with elevated privileges due to its SUID-root configuration. The observed consequence is memory corruption. Depending on the extent of the corruption, this could lead to denial-of-service or arbitrary code execution. Given the wide usage of NTFS-3G for mounting NTFS volumes on Linux and other systems, a successful exploit could affect a large number of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NTFS-3G to version 2026.2.25 or later to patch CVE-2026-40706 (reference: \u003ca href=\"https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\"\u003ehttps://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or errors related to ntfs-3g operations, which may indicate exploitation attempts. Deploy the Sigma rules below to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and validation measures on NTFS images to prevent the use of malicious images (mitigation based on the vulnerability description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-ntfs3g-heap-overflow/","summary":"A heap buffer overflow vulnerability exists in NTFS-3G versions 2022.10.3 before 2026.2.25 that allows for heap memory corruption by processing a crafted NTFS image with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.","title":"NTFS-3G Heap Buffer Overflow Vulnerability (CVE-2026-40706)","url":"https://feed.craftedsignal.io/briefs/2026-04-ntfs3g-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40879"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","nestjs","recursion","cve-2026-40879","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNestJS, a Node.js framework for server-side applications, is vulnerable to an uncontrolled recursion issue. Prior to version 11.1.19, a malicious actor could exploit CVE-2026-40879 by sending a crafted TCP frame containing numerous small, valid JSON messages to a vulnerable NestJS application. The \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each message, causing the buffer to shrink with each call. This bypasses the \u003ccode\u003emaxBufferSize\u003c/code\u003e limit and leads to a call stack overflow. A payload as small as 47 KB is sufficient to trigger a \u003ccode\u003eRangeError\u003c/code\u003e and crash the application. This vulnerability allows for a denial-of-service attack. The vulnerability has been patched in NestJS version 11.1.19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NestJS application running a version prior to 11.1.19.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a TCP packet containing multiple small, valid JSON messages.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted TCP packet to the vulnerable NestJS application.\u003c/li\u003e\n\u003cli\u003eThe NestJS application\u0026rsquo;s \u003ccode\u003ehandleData()\u003c/code\u003e function receives the TCP packet.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each JSON message in the packet.\u003c/li\u003e\n\u003cli\u003eWith each recursive call, the buffer shrinks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaxBufferSize\u003c/code\u003e is never reached because of the stack overflow.\u003c/li\u003e\n\u003cli\u003eThe call stack overflows, leading to a \u003ccode\u003eRangeError\u003c/code\u003e and application crash, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40879 leads to a denial-of-service condition. A single attacker can potentially bring down a vulnerable NestJS application with a relatively small payload of approximately 47KB. This can impact businesses relying on the affected NestJS application, leading to service disruptions and potential data loss. The vulnerability affects any application using NestJS versions before 11.1.19, making a large number of applications potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all NestJS applications to version 11.1.19 or later to patch CVE-2026-40879.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NestJS TCP Payload\u003c/code\u003e to identify potentially malicious TCP traffic targeting NestJS applications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for large TCP packets containing many small JSON messages, which may indicate an attempted exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-nest-recursion-dos/","summary":"NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.","title":"NestJS Uncontrolled Recursion Denial-of-Service Vulnerability (CVE-2026-40879)","url":"https://feed.craftedsignal.io/briefs/2026-04-nest-recursion-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["util-linux","denial-of-service","information-disclosure","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the util-linux package that can be exploited by a local attacker. While specific details regarding the vulnerable component or version are not provided in the advisory, successful exploitation can lead to a denial-of-service (DoS) condition and the disclosure of sensitive information. The impact is limited to systems where the attacker has local access, but successful exploitation could disrupt services and expose sensitive data to unauthorized users. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential disruptions and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a Linux system running a vulnerable version of util-linux.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable utility within the util-linux package. (Specific utility name not provided).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input or command designed to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes the malicious input/command using the vulnerable utility.\u003c/li\u003e\n\u003cli\u003eThe vulnerability causes the targeted utility to crash or enter a non-responsive state, contributing to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to read sensitive information from the system\u0026rsquo;s memory or file system.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the disclosed information.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the disclosed information for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to trigger a denial-of-service condition, potentially disrupting critical system services. The attacker can also disclose sensitive information, leading to potential data breaches or further compromise of the system. The number of affected systems is unknown but depends on the prevalence of the vulnerable util-linux version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate the specific vulnerable utility and version within util-linux to determine the scope of impact using OS package management tools (\u003ccode\u003edpkg\u003c/code\u003e, \u003ccode\u003erpm\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unusual command-line arguments or behaviors associated with util-linux utilities using \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:08:57Z","date_published":"2026-04-22T08:08:57Z","id":"/briefs/2024-04-util-linux-dos-info-disclosure/","summary":"A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.","title":"util-linux Vulnerability Allows DoS and Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2024-04-util-linux-dos-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["redhat","vulnerability","denial-of-service","information-disclosure","code-execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities affect Red Hat Hardened Images RPMs. A remote, anonymous attacker could exploit these weaknesses to compromise the system. The vulnerabilities could lead to bypassing security precautions, causing a denial-of-service condition, disclosing sensitive information, or performing unspecified attacks, including potential code execution. The specifics of the vulnerable RPMs (jq and pyOpenSSL) are mentioned, highlighting a focus on common utilities. While the exact CVEs are not specified in this brief, the potential for code execution elevates the risk and requires immediate attention. Defenders should focus on identifying and patching vulnerable systems to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Red Hat Hardened Images RPM (jq or pyOpenSSL) running on a target system.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload tailored to exploit a specific vulnerability within the identified RPM.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a network connection to send the malicious payload to the target system.\u003c/li\u003e\n\u003cli\u003eThe vulnerable RPM processes the payload, triggering the vulnerability (e.g., buffer overflow, arbitrary code injection).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system with the privileges of the compromised process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain root access, potentially by exploiting further vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or modifies system files to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, denial-of-service attacks, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities in Red Hat Hardened Images RPMs could result in significant damage. An attacker could gain complete control over the affected systems, leading to data breaches, system outages, and further compromise of the network. The lack of specific vulnerability details makes quantifying the scope of impact difficult, but the potential for code execution makes this a high-priority threat. Affected sectors are broad due to the widespread use of Red Hat systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Vulnerable Red Hat Package Installation\u003c/code\u003e to identify systems installing or upgrading the \u003ccode\u003ejq\u003c/code\u003e or \u003ccode\u003epyOpenSSL\u003c/code\u003e packages, which may indicate a vulnerable system.\u003c/li\u003e\n\u003cli\u003eInvestigate systems identified by the Sigma rule for unusual network activity or suspicious processes to find potentially compromised hosts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected execution of binaries by the \u003ccode\u003ejq\u003c/code\u003e or \u003ccode\u003epyOpenSSL\u003c/code\u003e processes to detect potential exploitation using the \u003ccode\u003eDetect Suspicious Process Execution by Vulnerable RPM\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:44:11Z","date_published":"2026-04-21T08:44:11Z","id":"/briefs/2026-04-redhat-hardening-vulns/","summary":"Remote, anonymous attackers can exploit vulnerabilities in Red Hat Hardened Images RPMs to bypass security measures, cause denial of service, disclose sensitive information, or potentially execute code.","title":"Multiple Vulnerabilities in Red Hat Hardened Images RPMs","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-hardening-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35465"},{"cvss":8.1,"id":"CVE-2025-24888"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["securedrop","gzip","code execution","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSecureDrop Client, a desktop application designed for secure communication between journalists and sources, is vulnerable to code execution (versions 0.17.4 and below). The vulnerability, identified as CVE-2026-35465, stems from improper filename validation during the extraction of gzip archives. A compromised SecureDrop Server can leverage this flaw to overwrite critical files, such as the SQLite database, on the Client\u0026rsquo;s virtual machine (sd-app). While exploiting this vulnerability requires prior compromise of the hardened SecureDrop Server (accessible only via Tor), successful exploitation leads to significant impact on the confidentiality, integrity, and availability of sensitive source submissions. This issue is similar to CVE-2025-24888, but arises through a different code path. Version 0.17.5 addresses this vulnerability with a more robust fix within the replacement SecureDrop Inbox codebase.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the SecureDrop Server, gaining control over its file handling processes.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious gzip archive containing filenames with absolute paths (e.g., \u003ccode\u003e/opt/securedrop/client/db.sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker uploads this malicious gzip archive to the compromised SecureDrop Server.\u003c/li\u003e\n\u003cli\u003eThe SecureDrop Client retrieves the malicious gzip archive from the SecureDrop Server via Tor.\u003c/li\u003e\n\u003cli\u003eThe SecureDrop Client attempts to extract the contents of the gzip archive using a vulnerable extraction routine.\u003c/li\u003e\n\u003cli\u003eDue to improper filename validation, the extraction process overwrites critical files, such as the SQLite database, on the client\u0026rsquo;s virtual machine (sd-app).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution by manipulating the overwritten files to execute arbitrary code upon the next application startup or during normal operation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to decrypted source submissions and can exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35465 allows a compromised SecureDrop Server to execute arbitrary code on the SecureDrop Client\u0026rsquo;s virtual machine. This leads to a complete breach of confidentiality, integrity, and availability of decrypted source submissions handled by the client. Journalists relying on SecureDrop could have their sources exposed, leading to severe repercussions for both journalists and their sources. The impact is limited to SecureDrop deployments running vulnerable versions (0.17.4 and below).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SecureDrop Client installations to version 0.17.5 or later to remediate CVE-2026-35465.\u003c/li\u003e\n\u003cli\u003eMonitor SecureDrop Client systems for unusual file writes, especially to critical directories such as \u003ccode\u003e/opt/securedrop/client/\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden the SecureDrop Server\u0026rsquo;s security configuration to prevent initial compromise, as exploitation requires prior access to the server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:16:18Z","date_published":"2026-04-18T01:16:18Z","id":"/briefs/2026-04-securedrop-gzip-vuln/","summary":"A compromised SecureDrop server can achieve code execution on the SecureDrop client's virtual machine by exploiting improper filename validation during gzip archive extraction, allowing for the overwriting of critical files.","title":"SecureDrop Client Code Execution via Gzip Extraction Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-securedrop-gzip-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-32107"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xrdp","privilege-escalation","cve-2026-32107","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32107 affects xrdp, an open-source Remote Desktop Protocol (RDP) server. Specifically, versions up to and including 0.10.5 contain a flaw in the session execution component. The vulnerability stems from the improper handling of errors during the privilege drop process. This allows a local, authenticated attacker to potentially escalate their privileges to root. Successful exploitation requires an additional, unspecified exploit to trigger the vulnerable code path. The vulnerability has been addressed in xrdp version 0.10.6. Defenders should prioritize upgrading affected systems to version 0.10.6 or later. The reported CVSS v3.1 base score is 8.8, indicating a high severity. This vulnerability allows local attackers to execute arbitrary code with elevated privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a system running a vulnerable version of xrdp (\u0026lt;= 0.10.5) with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an xrdp session, triggering the vulnerable session execution component.\u003c/li\u003e\n\u003cli\u003eThe xrdp session attempts to drop privileges as part of its normal operation.\u003c/li\u003e\n\u003cli\u003eAn error occurs during the privilege drop process due to the flaw described in CVE-2026-32107.\u003c/li\u003e\n\u003cli\u003eDue to the improper error handling, the privilege drop fails, or partially fails, leaving the process with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits this partially dropped or retained privilege context. This step requires a currently unspecified, additional exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code with root privileges due to the incomplete privilege drop.\u003c/li\u003e\n\u003cli\u003eThe attacker persists or pivots to other systems based on their elevated access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32107 allows a local attacker to gain root privileges on a vulnerable system. This can lead to complete system compromise, including data theft, modification, or destruction. While the vulnerability requires an additional exploit to be fully realized, the high CVSS score reflects the significant impact of a successful attack. The number of potential victims is dependent on the prevalence of vulnerable xrdp versions within an organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade xrdp to version 0.10.6 or later to remediate CVE-2026-32107, as per the GitHub release notes (\u003ca href=\"https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6\"\u003ehttps://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor systems running xrdp for unexpected privilege escalation attempts or suspicious process behavior.\u003c/li\u003e\n\u003cli\u003eConsider deploying the provided Sigma rule to detect suspicious process creation events related to xrdp exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:33Z","date_published":"2026-04-17T20:16:33Z","id":"/briefs/2026-04-xrdp-privesc/","summary":"xrdp versions through 0.10.5 are vulnerable to a privilege escalation flaw (CVE-2026-32107) where improper privilege management during the privilege drop process could allow an authenticated local attacker to escalate privileges to root and execute arbitrary code.","title":"xrdp Privilege Escalation Vulnerability (CVE-2026-32107)","url":"https://feed.craftedsignal.io/briefs/2026-04-xrdp-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-41035"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["rsync","use-after-free","cve-2026-41035","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ersync versions 3.0.1 through 3.4.1 are susceptible to a use-after-free vulnerability identified as CVE-2026-41035. This flaw resides within the \u003ccode\u003ereceive_xattr\u003c/code\u003e function, where an untrusted length value is used during a \u003ccode\u003eqsort\u003c/code\u003e call. The vulnerability is triggered only when rsync is executed with the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option, which enables extended attribute handling. While many Linux configurations are vulnerable, the issue is more prevalent on non-Linux platforms. Exploitation of this vulnerability could allow a malicious actor to achieve arbitrary code execution on the target system. Defenders should prioritize patching rsync installations and consider disabling the \u003ccode\u003e-X\u003c/code\u003e option where extended attributes are not essential.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system where they can influence rsync parameters. This could be through a compromised user account or a vulnerable service.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious rsync command that includes the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option to enable extended attribute processing.\u003c/li\u003e\n\u003cli\u003eThe crafted command is executed on the victim machine, targeting a vulnerable rsync version (3.0.1 to 3.4.1).\u003c/li\u003e\n\u003cli\u003eDuring the \u003ccode\u003ereceive_xattr\u003c/code\u003e function call, the untrusted length value provided by the attacker is passed to the \u003ccode\u003eqsort\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eqsort\u003c/code\u003e function attempts to sort the extended attributes based on the attacker-controlled length.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated length value, the \u003ccode\u003eqsort\u003c/code\u003e function accesses memory outside the allocated buffer, leading to a use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition allows the attacker to potentially overwrite memory with malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed within the context of the rsync process, granting them control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41035 can lead to arbitrary code execution on the affected system. The impact can range from data corruption to complete system compromise. Given the widespread use of rsync for data synchronization and backups, a successful attack could affect a large number of systems across various sectors. The vulnerability is particularly concerning on non-Linux platforms, where the likelihood of successful exploitation is higher.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade rsync to a version beyond 3.4.1 to patch CVE-2026-41035.\u003c/li\u003e\n\u003cli\u003eImplement the file integrity monitoring rule to detect unauthorized modification of rsync binaries.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect rsync commands using the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option, as those options are required to trigger this vulnerability.\u003c/li\u003e\n\u003cli\u003eWhere possible, disable the use of the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option for rsync to prevent exploitation of this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T07:16:31Z","date_published":"2026-04-16T07:16:31Z","id":"/briefs/2026-04-rsync-use-after-free/","summary":"rsync versions 3.0.1 through 3.4.1 are vulnerable to a use-after-free vulnerability in the receive_xattr function during a qsort call, triggered by an untrusted length value when the -X/--xattrs option is used, potentially leading to code execution.","title":"rsync Use-After-Free Vulnerability in Extended Attribute Handling (CVE-2026-41035)","url":"https://feed.craftedsignal.io/briefs/2026-04-rsync-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-41015"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["radare2","command-injection","cve-2026-41015","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-41015 is a command injection vulnerability affecting radare2, a reverse engineering framework, when configured on UNIX systems without SSL. The vulnerability occurs in the \u003ccode\u003erabin2\u003c/code\u003e utility, specifically when processing Program Database (PDB) files with the \u003ccode\u003e-PP\u003c/code\u003e option. An attacker can inject arbitrary commands into the PDB name, which are then executed by the system. This vulnerability exists within a specific commit range after version 6.1.2 and before 6.1.3 (commit 9236f44). While radare2 encourages users to use the latest git version, the short timeframe of the vulnerable code increases the risk for users who have not updated within that period. Exploitation could lead to complete system compromise if the radare2 process has sufficient privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable radare2 installation configured on a UNIX system without SSL.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PDB file name containing embedded OS commands.\u003c/li\u003e\n\u003cli\u003eAttacker supplies the crafted PDB file name as input to the \u003ccode\u003erabin2 -PP\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erabin2\u003c/code\u003e processes the PDB name without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe embedded OS commands within the PDB name are executed by the system.\u003c/li\u003e\n\u003cli\u003eAttacker gains arbitrary code execution within the context of the radare2 process.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the initial access to escalate privileges.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41015 allows an attacker to execute arbitrary commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, or denial of service. The impact is particularly severe if radare2 is running with elevated privileges. The number of potential victims is dependent on the number of radare2 installations running vulnerable versions and configurations, but it is estimated to be relatively low due to the specific configuration requirements and the short lifespan of the vulnerable code in the git repository.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 9236f44 to remediate the command injection vulnerability in radare2.\u003c/li\u003e\n\u003cli\u003eAvoid configuring radare2 on UNIX systems without SSL to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eradare2-suspicious-rabin2-execution\u003c/code\u003e to detect exploitation attempts involving the \u003ccode\u003erabin2\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003erabin2\u003c/code\u003e with unusual command-line arguments as indicated by the rule \u003ccode\u003eradare2-rabin2-pdb-injection\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T03:16:27Z","date_published":"2026-04-16T03:16:27Z","id":"/briefs/2026-04-radare2-cmd-injection/","summary":"Radare2 before commit 9236f44, when configured on UNIX without SSL, is vulnerable to command injection via a PDB name passed to rabin2 -PP, potentially allowing arbitrary code execution.","title":"Radare2 Command Injection Vulnerability (CVE-2026-41015)","url":"https://feed.craftedsignal.io/briefs/2026-04-radare2-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zarf","path-traversal","arbitrary-file-write","package-inspection","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZarf, a tool for air-gapped deployments, is susceptible to a path traversal vulnerability (CVE-2026-40090) affecting versions prior to v0.74.2. The vulnerability stems from inadequate sanitization of the \u003ccode\u003eMetadata.Name\u003c/code\u003e field within Zarf package manifests. When a user employs the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e commands on an untrusted package, the tool constructs output file paths by concatenating a user-controlled output directory with the package\u0026rsquo;s \u003ccode\u003eMetadata.Name\u003c/code\u003e field. A malicious actor can craft a Zarf package with a manipulated \u003ccode\u003eMetadata.Name\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e), enabling arbitrary file write capabilities within the permissions of the user running the \u003ccode\u003einspect\u003c/code\u003e command. This vulnerability allows attackers to write to locations they control, potentially leading to privilege escalation or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003ezarf.yaml\u003c/code\u003e manifest within the package to include a \u003ccode\u003eMetadata.Name\u003c/code\u003e field containing path traversal sequences (e.g., \u003ccode\u003e../../../../tmp/evil\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker repacks the Zarf package, recalculating checksums if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eA victim user downloads the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe victim executes \u003ccode\u003ezarf package inspect sbom --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eZarf extracts the \u003ccode\u003eMetadata.Name\u003c/code\u003e from the \u003ccode\u003ezarf.yaml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eZarf constructs an output path by joining the user-specified output directory (/tmp) with the malicious \u003ccode\u003eMetadata.Name\u003c/code\u003e (\u003ccode\u003e../../../../tmp/evil\u003c/code\u003e), resulting in \u003ccode\u003e/tmp/../../../../tmp/evil\u003c/code\u003e. The tool attempts to write the SBOM or documentation data to this path, resulting in writing the file to \u003ccode\u003e/tmp/evil\u003c/code\u003e. This allows attackers to write files such as SSH authorized keys, cron jobs, or shell profiles.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the file system, limited by the permissions of the user running the \u003ccode\u003ezarf package inspect\u003c/code\u003e command. This can lead to several critical consequences: privilege escalation by writing to authorized_keys files, arbitrary code execution by writing cron jobs, or persistent compromise by writing to shell profiles. This vulnerability affects users running the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e command on untrusted packages. The affected packages are go/github.com/zarf-dev/zarf versions \u0026gt;= 0.23.0 and \u0026lt; 0.74.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Zarf to version v0.74.2 or later to patch CVE-2026-40090.\u003c/li\u003e\n\u003cli\u003eAvoid inspecting unsigned Zarf packages as a workaround until the upgrade is complete, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Zarf Package Inspection with Path Traversal\u0026rdquo; to identify attempts to exploit this vulnerability via command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories (e.g., \u003ccode\u003e/home/$USER/.ssh\u003c/code\u003e, \u003ccode\u003e/etc/cron.d\u003c/code\u003e) for files created by the zarf binary using the \u0026ldquo;Detect Zarf Arbitrary File Write\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-15-zarf-path-traversal/","summary":"Zarf is vulnerable to path traversal due to insufficient sanitization of the Metadata.Name field in package manifests when using the `zarf package inspect sbom` or `zarf package inspect documentation` commands, potentially leading to arbitrary file write.","title":"Zarf Path Traversal Vulnerability via Malicious Package Metadata.Name","url":"https://feed.craftedsignal.io/briefs/2026-04-15-zarf-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["jq","denial-of-service","hash-collision","CVE-2026-40164","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40164 identifies a denial-of-service (DoS) vulnerability affecting the \u003ccode\u003ejq\u003c/code\u003e command-line JSON processor. Prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, \u003ccode\u003ejq\u003c/code\u003e employed MurmurHash3 with a fixed, publicly known seed (0x432A9843) for all JSON object hash table operations. This weakness allowed a malicious actor to precompute key collisions offline. An attacker could then supply a specially crafted JSON object, roughly 100KB in size, where all keys hash to the same bucket. This forces hash table lookups to degrade from O(1) to O(n) complexity, effectively turning any \u003ccode\u003ejq\u003c/code\u003e expression into an O(n²) operation, resulting in significant CPU exhaustion. The vulnerability impacts common \u003ccode\u003ejq\u003c/code\u003e use cases, including CI/CD pipelines, web services, and data processing scripts. The vulnerability has been addressed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker analyzes the \u003ccode\u003ejq\u003c/code\u003e source code and identifies the use of MurmurHash3 with the hardcoded seed 0x432A9843.\u003c/li\u003e\n\u003cli\u003eThe attacker develops a script to generate JSON keys that will collide with each other when hashed using MurmurHash3 and the specific seed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON object, approximately 100KB in size, containing numerous colliding keys.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this malicious JSON object to a system running \u003ccode\u003ejq\u003c/code\u003e, potentially via an API endpoint or as input to a data processing script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejq\u003c/code\u003e process parses the JSON object and attempts to perform hash table lookups. Due to the collisions, these lookups become extremely slow, consuming excessive CPU resources.\u003c/li\u003e\n\u003cli\u003eThe CPU utilization on the target system spikes, potentially impacting the performance of other applications.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejq\u003c/code\u003e process may become unresponsive or crash due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe system experiences a denial-of-service condition, preventing legitimate users or processes from accessing \u003ccode\u003ejq\u003c/code\u003e functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40164 can lead to denial-of-service conditions on systems utilizing the \u003ccode\u003ejq\u003c/code\u003e JSON processor. The vulnerability impacts environments where \u003ccode\u003ejq\u003c/code\u003e is used, including CI/CD pipelines, web services, and data processing scripts. If successfully exploited, critical processes relying on \u003ccode\u003ejq\u003c/code\u003e may become unavailable, leading to disruptions in automated workflows, web application outages, and data processing delays. The relatively small size of the malicious JSON payload (approximately 100KB) makes this vulnerability practical and easily exploitable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ejq\u003c/code\u003e version containing commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 or later to patch the vulnerability (reference: CVE-2026-40164).\u003c/li\u003e\n\u003cli\u003eMonitor CPU utilization on systems running \u003ccode\u003ejq\u003c/code\u003e for unusually high activity, especially when processing JSON data, to detect potential exploitation attempts (reference: Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eImplement resource limits and rate limiting on services that accept JSON input to mitigate the impact of denial-of-service attacks (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:16:07Z","date_published":"2026-04-14T00:16:07Z","id":"/briefs/2026-04-jq-hash-dos/","summary":"A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.","title":"jq JSON Processor Hash Table Collision Denial-of-Service Vulnerability (CVE-2026-40164)","url":"https://feed.craftedsignal.io/briefs/2026-04-jq-hash-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2024-27297"},{"cvss":9,"id":"CVE-2026-39860"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nix","privilege-escalation","linux","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in the Nix package manager for Linux systems, stemming from an incomplete fix for CVE-2024-27297. The flaw, identified as CVE-2026-39860, allows for arbitrary file overwrites due to improper handling of symlinks during the registration of fixed-output derivation outputs. This occurs when a derivation builder creates a symlink within the build chroot pointing to an arbitrary location in the filesystem. Subsequently, the Nix process, operating in the host mount namespace, follows this symlink and overwrites the destination with the derivation\u0026rsquo;s output. This issue primarily affects sandboxed Linux builds, while macOS builds remain unaffected. The vulnerability poses a significant risk in multi-user Nix installations where any user with build submission privileges (i.e., those allowed by \u0026lsquo;allowed-users\u0026rsquo;) can exploit this flaw to gain root privileges by modifying sensitive system files. The vulnerability has been patched in Nix versions 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious user, with privileges to submit builds to the Nix daemon, crafts a Nix derivation designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious derivation includes instructions to create a symlink within the build chroot. This symlink points to a sensitive system file outside of the chroot environment, such as \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Nix daemon initiates the build process within a sandboxed environment. The derivation builder creates the specified symlink during the build.\u003c/li\u003e\n\u003cli\u003eDuring the fixed-output derivation output registration phase, the Nix process attempts to copy the output from the temporary output location to the Nix store.\u003c/li\u003e\n\u003cli\u003eThe Nix process encounters the malicious symlink. Due to insufficient validation, it follows the symlink to the target file in the root filesystem.\u003c/li\u003e\n\u003cli\u003eThe Nix process overwrites the contents of the target file with the derivation\u0026rsquo;s output, effectively modifying the sensitive system file.\u003c/li\u003e\n\u003cli\u003eBy overwriting a file like \u003ccode\u003e/etc/shadow\u003c/code\u003e, the attacker can manipulate user account information, including password hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges by logging in as a modified or newly created user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability in multi-user Nix installations allows any user capable of submitting builds to the Nix daemon to achieve root privilege escalation. This could lead to complete system compromise, including data theft, modification, or destruction. The severity is critical because it bypasses standard security measures and directly impacts system integrity. The number of potentially affected systems is broad, encompassing any Linux system utilizing a vulnerable version of Nix in a multi-user configuration, which is a common setup.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Nix to version 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6 to patch CVE-2026-39860.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious activity related to \u003ccode\u003enix-daemon\u003c/code\u003e and file modifications in sensitive directories such as \u003ccode\u003e/etc/passwd\u003c/code\u003e and \u003ccode\u003e/etc/shadow\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on sensitive system files to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly audit and restrict the \u003ccode\u003eallowed-users\u003c/code\u003e configuration of the Nix daemon to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-nix-privesc/","summary":"A flaw in Nix package manager allows arbitrary file overwrites via symlink following during fixed-output derivation registration, potentially leading to root privilege escalation on multi-user Linux systems.","title":"Nix Package Manager Arbitrary File Overwrite Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nix-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40030"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eparseusbs before version 1.9 is susceptible to an OS command injection vulnerability, identified as CVE-2026-40030. This flaw arises from the application\u0026rsquo;s failure to sanitize the volume listing path argument (-v flag) before passing it to the \u003ccode\u003eos.popen()\u003c/code\u003e function in Python. This function executes shell commands, and in this case, uses \u003ccode\u003els\u003c/code\u003e to list volume contents. By crafting a malicious volume path containing shell metacharacters, an attacker can inject arbitrary commands that will be executed with the privileges of the parseusbs process. This vulnerability was reported by VulnCheck and patched in subsequent versions. Successful exploitation requires the attacker to control the \u003ccode\u003e-v\u003c/code\u003e flag\u0026rsquo;s value, typically through command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable parseusbs instance running a version prior to 1.9.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious volume path argument containing shell metacharacters (e.g., \u003ccode\u003e;/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes parseusbs with the \u003ccode\u003e-v\u003c/code\u003e flag, supplying the crafted volume path as the argument.  Example: \u003ccode\u003eparseusbs -v \u0026quot;; command\u0026quot;\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eparseusbs passes the unsanitized volume path argument to the \u003ccode\u003eos.popen()\u003c/code\u003e function along with the \u003ccode\u003els\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.popen()\u003c/code\u003e function executes the combined command within a shell, injecting the attacker\u0026rsquo;s commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with the privileges of the parseusbs process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary command execution, potentially leading to system compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, lateral movement, or data exfiltration depending on the injected commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40030 allows an attacker to execute arbitrary commands on the system where parseusbs is running. This can lead to a full system compromise, including data theft, modification, or destruction. Given a CVSS v3.1 score of 7.8, this vulnerability is considered high severity. While specific victim counts and sectors are unknown, any system running a vulnerable version of parseusbs is at risk, particularly if the application processes user-supplied volume paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade parseusbs to version 1.9 or later to remediate CVE-2026-40030 (Reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Parseusbs Command Line Arguments\u003c/code\u003e to identify potential exploitation attempts (Reference: Rules).\u003c/li\u003e\n\u003cli\u003eMonitor command-line arguments passed to parseusbs for shell metacharacters (e.g., \u003ccode\u003e;/|\u0026amp;\u003c/code\u003e) (Reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:23Z","date_published":"2026-04-08T22:16:23Z","id":"/briefs/2026-04-parseusbs-command-injection/","summary":"parseusbs before 1.9 is vulnerable to OS command injection (CVE-2026-40030) due to improper sanitization of the volume listing path argument, potentially allowing arbitrary command execution via crafted volume paths.","title":"parseusbs OS Command Injection Vulnerability (CVE-2026-40030)","url":"https://feed.craftedsignal.io/briefs/2026-04-parseusbs-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34045"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["podman-desktop","denial-of-service","information-disclosure","cve-2026-34045","linux","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePodman Desktop, a graphical tool for container and Kubernetes development, is vulnerable to an unauthenticated remote attack in versions prior to 1.26.2. The exposed HTTP server lacks proper connection limits and timeouts, enabling attackers to exhaust file descriptors and kernel memory. This resource exhaustion leads to denial-of-service conditions, potentially crashing the application or freezing the entire host system. Furthermore, verbose error responses from the server inadvertently disclose internal paths and system details, including usernames on Windows systems. This information leakage facilitates further exploitation attempts. The vulnerability, identified as CVE-2026-34045, requires no authentication or user interaction and is exploitable over a network, making it a significant threat to systems running vulnerable versions of Podman Desktop. Users should update to version 1.26.2 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Podman Desktop instance running a version prior to 1.26.2 exposed on the network.\u003c/li\u003e\n\u003cli\u003eAttacker connects to the unauthenticated HTTP server exposed by Podman Desktop.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a large number of HTTP requests without proper connection management.\u003c/li\u003e\n\u003cli\u003eThe server fails to enforce connection limits, leading to an exhaustion of available file descriptors on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker sends specially crafted requests designed to trigger resource-intensive operations, consuming excessive kernel memory.\u003c/li\u003e\n\u003cli\u003eAs file descriptors and kernel memory are depleted, the Podman Desktop application becomes unresponsive.\u003c/li\u003e\n\u003cli\u003eThe system experiences a denial-of-service condition, potentially leading to application crash or a full host freeze.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes verbose error responses to gain insights into internal paths and system details, potentially including usernames on Windows, to prepare for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34045 can lead to a complete denial-of-service of the Podman Desktop application, disrupting container and Kubernetes development workflows. In severe cases, the entire host system may freeze, requiring a reboot and causing data loss or corruption. The information disclosure aspect of the vulnerability, leaking internal paths and usernames, can aid attackers in crafting more targeted and sophisticated attacks against the compromised system. The lack of authentication makes all installations of vulnerable Podman Desktop versions potential targets, impacting developers and organizations relying on this tool.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Podman Desktop to version 1.26.2 or later to patch CVE-2026-34045.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict access to the Podman Desktop HTTP server only to trusted networks, mitigating external exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Excessive HTTP Requests to Podman Desktop\u0026rdquo; to identify potential denial-of-service attempts against vulnerable Podman Desktop instances.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual HTTP requests and error responses from Podman Desktop, correlating them with potential exploitation attempts. Enable webserver logging to activate the rule above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T21:17:17Z","date_published":"2026-04-07T21:17:17Z","id":"/briefs/2026-04-podman-desktop-dos/","summary":"Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.","title":"Unauthenticated Denial-of-Service and Information Disclosure in Podman Desktop","url":"https://feed.craftedsignal.io/briefs/2026-04-podman-desktop-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openssh","gssapi","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the GSSAPI implementation of OpenSSH, potentially affecting Ubuntu Linux systems. According to the BSI advisory published on April 7, 2026, an anonymous remote attacker can exploit this vulnerability. The specifics of the vulnerability are not detailed in the advisory, but successful exploitation could lead to undefined behavior or a denial-of-service condition on the targeted system. This is a significant concern for organizations relying on OpenSSH for secure remote access, as it could disrupt services and impact availability. Further investigation is warranted to understand the root cause and potential mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenSSH server running on an Ubuntu Linux system with GSSAPI enabled.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an SSH connection to the target server.\u003c/li\u003e\n\u003cli\u003eDuring the GSSAPI authentication exchange, the attacker sends a specially crafted request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenSSH GSSAPI implementation fails to properly handle the malicious request.\u003c/li\u003e\n\u003cli\u003eThe server enters an unstable state due to the unhandled exception or memory corruption.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH process crashes, leading to a denial-of-service.\u003c/li\u003e\n\u003cli\u003eRepeated exploitation can keep the SSH service unavailable, preventing legitimate users from accessing the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in a denial-of-service condition, rendering the affected OpenSSH server unavailable. This can disrupt critical services relying on SSH for remote access and management. The number of potential victims is widespread, affecting any Ubuntu Linux system running a vulnerable version of OpenSSH with GSSAPI enabled. The impact ranges from temporary service outages to prolonged inaccessibility of affected systems, potentially leading to significant operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for unusual SSH traffic patterns, particularly those involving GSSAPI authentication (see the \u0026ldquo;Detect Suspicious SSH GSSAPI Authentication\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eReview OpenSSH server logs for error messages or crashes occurring during GSSAPI authentication attempts (see the \u0026ldquo;Detect OpenSSH GSSAPI Authentication Failures\u0026rdquo; rule and enable detailed logging).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of OpenSSH processes crashing or becoming unresponsive, especially after receiving inbound network connections.\u003c/li\u003e\n\u003cli\u003eStay informed about future security updates from OpenSSH and Ubuntu Linux that address this vulnerability, and apply them promptly upon release.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:16:06Z","date_published":"2026-04-07T10:16:06Z","id":"/briefs/2026-04-openssh-gssapi-dos/","summary":"A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.","title":"OpenSSH GSSAPI Vulnerability Leads to Potential Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-04-openssh-gssapi-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-22661"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-write","code-execution","cve-2026-22661","prompts.chat","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eprompts.chat, a software application, is vulnerable to a path traversal attack (CVE-2026-22661) in versions prior to commit 0f8d4c3. This vulnerability stems from insufficient server-side validation of filenames within skill file archives. A remote attacker can exploit this by crafting malicious ZIP archives that contain filenames with path traversal sequences (e.g., ../). When a vulnerable prompts.chat instance extracts these archives, the lack of proper sanitization allows the attacker to write files to arbitrary locations on the file system, potentially overwriting critical system files and achieving arbitrary code execution. This poses a significant risk to system integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a specially crafted skill file.\u003c/li\u003e\n\u003cli\u003eThe filenames within the ZIP archive include path traversal sequences such as \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive to the prompts.chat application.\u003c/li\u003e\n\u003cli\u003eprompts.chat processes the uploaded ZIP archive without properly sanitizing the filenames.\u003c/li\u003e\n\u003cli\u003eThe application extracts the contents of the ZIP archive, writing files to locations specified in the malicious filenames.\u003c/li\u003e\n\u003cli\u003ePath traversal sequences in the filenames allow the attacker to write files outside the intended extraction directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites shell initialization files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e) or other executable files.\u003c/li\u003e\n\u003cli\u003eWhen a user logs in or a new shell is spawned, the overwritten initialization file executes malicious code, granting the attacker arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22661 allows an attacker to write arbitrary files to the client system, leading to potential overwrite of sensitive system files and arbitrary code execution. The vulnerability affects systems running vulnerable versions of prompts.chat. The impact includes complete compromise of the system, data theft, and further propagation of malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch by upgrading to commit 0f8d4c3 or later to remediate CVE-2026-22661.\u003c/li\u003e\n\u003cli\u003eImplement server-side filename validation and sanitization to prevent path traversal attacks when handling ZIP archives within prompts.chat.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences in filenames as identified by the provided rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-prompts-chat-traversal/","summary":"A path traversal vulnerability exists in prompts.chat prior to commit 0f8d4c3, allowing attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames.","title":"prompts.chat Path Traversal Vulnerability (CVE-2026-22661)","url":"https://feed.craftedsignal.io/briefs/2026-04-prompts-chat-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-5485"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5485","command injection","athena","odbc","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5485 is an OS command injection vulnerability affecting the Amazon Athena ODBC driver before version 2.0.5.1 on Linux systems. The vulnerability resides in the browser-based authentication component of the driver. A local attacker can exploit this flaw by crafting malicious connection parameters that are then processed by the driver during a locally initiated connection attempt. Successful exploitation allows the attacker to execute arbitrary commands on the underlying system with the privileges of the user running the ODBC driver. This poses a significant risk to systems using vulnerable versions of the driver. The vulnerability was published on April 3, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a Linux system with the vulnerable Amazon Athena ODBC driver installed (version before 2.0.5.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts specially crafted connection parameters designed to inject OS commands. This could involve manipulating fields expected by the driver to trigger command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a connection to Amazon Athena using the vulnerable ODBC driver and the crafted connection parameters.\u003c/li\u003e\n\u003cli\u003eThe ODBC driver attempts to authenticate using the browser-based authentication component, loading the malicious connection parameters.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the crafted parameters are not properly sanitized, leading to OS command injection.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed on the system with the privileges of the user running the ODBC driver.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the command execution to install malware, create new user accounts, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5485 allows an attacker to execute arbitrary commands on a vulnerable Linux system. The impact includes potential data theft, system compromise, and lateral movement within the network. Given the nature of command injection, the attacker has significant control over the compromised system, allowing for a wide range of malicious activities. Organizations using the affected Amazon Athena ODBC driver on Linux should prioritize patching to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Amazon Athena ODBC driver to version 2.0.5.1 or later on all Linux systems to remediate CVE-2026-5485.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Linux systems for unusual processes spawned by the ODBC driver using the Sigma rules provided below.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on Linux systems to limit the ability of attackers to leverage local access to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable logging for ODBC driver activity and review logs for suspicious connection attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts by monitoring for command line arguments indicative of command injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-athena-odbc-cmd-injection/","summary":"A critical OS command injection vulnerability (CVE-2026-5485) in the Amazon Athena ODBC driver before 2.0.5.1 for Linux allows local attackers to execute arbitrary code via specially crafted connection parameters.","title":"Amazon Athena ODBC Driver OS Command Injection Vulnerability (CVE-2026-5485)","url":"https://feed.craftedsignal.io/briefs/2026-04-athena-odbc-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["kubectl","kubernetes","command_and_control","network_configuration","linux","macos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies potential malicious activity involving the \u003ccode\u003ekubectl\u003c/code\u003e command-line tool, specifically focusing on modifications to network configurations within Kubernetes environments. The rule monitors for \u003ccode\u003ekubectl\u003c/code\u003e commands executed with arguments like \u0026ldquo;port-forward\u0026rdquo;, \u0026ldquo;proxy\u0026rdquo;, or \u0026ldquo;expose,\u0026rdquo; which can be used to manipulate network settings. The activity is considered suspicious when initiated from atypical parent processes or directories, such as temporary folders or user home directories. This behavior might indicate an adversary attempting to establish unauthorized access channels or exfiltrate sensitive data. The rule is designed to work with endpoint detection and response (EDR) solutions like Elastic Defend, Crowdstrike, SentinelOne, and cloud workload protection platforms. The rule was last updated on March 30, 2026, and is intended for use in production environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with \u003ccode\u003ekubectl\u003c/code\u003e installed and configured to interact with a Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003ekubectl\u003c/code\u003e command with arguments like \u003ccode\u003eport-forward\u003c/code\u003e to create a local port that forwards traffic to a service or pod within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl proxy\u003c/code\u003e to create a proxy server that allows them to access the Kubernetes API server from their local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker employs \u003ccode\u003ekubectl expose\u003c/code\u003e to create a new service that exposes a deployment, replication controller, or pod as a new Kubernetes service, potentially opening up unintended access points.\u003c/li\u003e\n\u003cli\u003eThe attacker may execute these commands from a shell like \u003ccode\u003ebash\u003c/code\u003e, or from a script located in a temporary directory like \u003ccode\u003e/tmp/\u003c/code\u003e or \u003ccode\u003e/var/tmp/\u003c/code\u003e, to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified network configurations to establish unauthorized access to sensitive services or data within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the proxied or forwarded connections to exfiltrate data from the cluster to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via \u003ccode\u003ekubectl\u003c/code\u003e network configuration modification can lead to unauthorized access to sensitive data and services within a Kubernetes cluster. This can result in data breaches, service disruptions, and lateral movement within the cluster. The low severity score suggests that while the risk exists, the impact might be limited if proper Kubernetes security best practices are followed. The rule aims to detect these actions early, preventing potential damage to the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend integration or equivalent EDR solutions to monitor process execution and network connections (\u003ccode\u003eData Source: Elastic Defend\u003c/code\u003e, \u003ccode\u003eData Source: Crowdstrike\u003c/code\u003e, \u003ccode\u003eData Source: SentinelOne\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious \u003ccode\u003ekubectl\u003c/code\u003e commands with network-related arguments (\u003ccode\u003erules\u003c/code\u003e section). Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the command-line arguments of the \u003ccode\u003ekubectl\u003c/code\u003e command (\u003ccode\u003erules\u003c/code\u003e section, \u003ccode\u003eResources: Investigation Guide\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for \u003ccode\u003ekubectl\u003c/code\u003e activities and network configuration changes within the Kubernetes cluster to proactively detect and respond to similar threats in the future (\u003ccode\u003eResources: Investigation Guide\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:16:09Z","date_published":"2026-04-01T14:16:09Z","id":"/briefs/2026-05-kubectl-network-modification/","summary":"This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.","title":"Kubectl Network Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-kubectl-network-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["bpfdoor","linux","backdoor","ebpf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBPFDoor is an evasive Linux backdoor that utilizes extended Berkeley Packet Filter (eBPF) technology to establish stealthy communication channels and maintain persistence on compromised systems. This backdoor has been observed targeting telecom networks, acting as a sleeper cell within the infrastructure. The threat leverages eBPF for its ability to operate at a low level, making detection challenging. This threat brief focuses on detecting BPFDoor through its interaction with common PID and lock files in the \u003ccode\u003e/var/run\u003c/code\u003e directory, where it attempts to masquerade as legitimate processes or services. The access of these files by unauthorized or unexpected processes can be a strong indicator of BPFDoor activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploitation of a vulnerability or stolen credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the BPFDoor backdoor onto the compromised system.\u003c/li\u003e\n\u003cli\u003eBPFDoor establishes persistence by injecting itself into the kernel using eBPF.\u003c/li\u003e\n\u003cli\u003eBPFDoor attempts to blend in with legitimate system activity by accessing or manipulating process ID (.pid) and lock (.lock) files in the \u003ccode\u003e/var/run\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eSpecifically, BPFDoor may access files like \u003ccode\u003e/var/run/aepmonend.pid\u003c/code\u003e, \u003ccode\u003e/var/run/auditd.lock\u003c/code\u003e, \u003ccode\u003e/var/run/cma.lock\u003c/code\u003e, \u003ccode\u003e/var/run/console-kit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/consolekit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/daemon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-addon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-smartd.pid\u003c/code\u003e, \u003ccode\u003e/var/run/haldrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hp-health.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlit.lock\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlited.pid\u003c/code\u003e, \u003ccode\u003e/var/run/kdevrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/lldpad.lock\u003c/code\u003e, \u003ccode\u003e/var/run/mcelog.pid\u003c/code\u003e, \u003ccode\u003e/var/run/system.pid\u003c/code\u003e, \u003ccode\u003e/var/run/uvp-srv.pid\u003c/code\u003e, \u003ccode\u003e/var/run/vmtoolagt.pid\u003c/code\u003e, and \u003ccode\u003e/var/run/xinetd.lock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis access may involve reading, writing, or modifying these files to conceal its presence.\u003c/li\u003e\n\u003cli\u003eBPFDoor uses the eBPF-based communication channel to receive commands from a remote attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the compromised system, potentially leading to data theft, system disruption, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BPFDoor infection can lead to a persistent and stealthy backdoor on a Linux system. Given the nature of eBPF, detection is difficult, potentially allowing attackers long-term access to the system and sensitive data. Telecom networks are specifically mentioned, indicating potential disruption of critical communications infrastructure. The number of victims and specific damage caused varies per deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBPFDoor Abnormal Process ID or Lock File Accessed\u003c/code\u003e to your SIEM to detect suspicious access to lock and PID files in \u003ccode\u003e/var/run\u003c/code\u003e based on auditd logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on identifying the process accessing the lock or PID file and whether it is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to identify unusual eBPF activity.\u003c/li\u003e\n\u003cli\u003eRegularly review and update intrusion detection systems (IDS) signatures to include known BPFDoor indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:18:05Z","date_published":"2026-04-01T11:18:05Z","id":"/briefs/2024-10-bpfdoor-lockfile-access/","summary":"BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.","title":"BPFDoor Lock File Access","url":"https://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["libxslt","rhel","vulnerability","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in the libxslt library within Red Hat Enterprise Linux (RHEL) that could allow a local attacker to perform a denial-of-service (DoS) attack or execute arbitrary code. While specific versions and CVEs are not mentioned in the advisory, the potential impact is significant. This vulnerability could be exploited if a user processes a malicious XSLT stylesheet, leading to memory corruption or other exploitable conditions. This poses a serious risk to systems where libxslt is used to process untrusted or user-supplied XSLT files, potentially allowing for complete system compromise. Defenders should prioritize identifying vulnerable systems and applying patches as soon as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains access to the target RHEL system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XSLT stylesheet designed to exploit the libxslt vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a local program that uses libxslt to parse the crafted stylesheet. This could be a custom application or a common utility that relies on libxslt for XSLT processing.\u003c/li\u003e\n\u003cli\u003eWhen the vulnerable libxslt library parses the malicious stylesheet, it triggers a buffer overflow or other memory corruption vulnerability.\u003c/li\u003e\n\u003cli\u003eThe memory corruption allows the attacker to overwrite critical system memory or inject malicious code.\u003c/li\u003e\n\u003cli\u003eIf a DoS condition is triggered, the affected service or application crashes, leading to a disruption of service.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully injects and executes arbitrary code, they gain control of the affected process with the privileges of the user running the application.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage their gained access to escalate privileges and perform further malicious activities on the system, such as installing backdoors or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, causing the affected application or service to crash and become unavailable. More critically, it can allow a local attacker to execute arbitrary code with the privileges of the user running the vulnerable application. This could lead to full system compromise if the affected application runs with elevated privileges. The impact is amplified in environments where libxslt is used to process untrusted or user-supplied XSLT files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all systems running Red Hat Enterprise Linux that utilize the libxslt library.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious child processes spawned by applications utilizing libxslt with the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eWhen available, apply the appropriate patches or updates for libxslt provided by Red Hat to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for XSLT stylesheets processed by applications to mitigate the risk of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:20:35Z","date_published":"2026-04-01T09:20:35Z","id":"/briefs/2024-05-rhel-libxslt-vuln/","summary":"A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.","title":"Red Hat Enterprise Linux libxslt Vulnerability Allows DoS and Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-05-rhel-libxslt-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in suspicious script executions on Linux-based GitHub Actions runners, which led to the discovery of a supply chain compromise affecting the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action. This action is a popular open-source vulnerability scanner frequently used in CI/CD pipelines. The attacker retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. These commits replaced the legitimate entry point with a multi-stage credential stealer. The injected code executes before the original scanner, allowing workflows to complete seemingly normally while secretly exfiltrating sensitive information. Aqua Security has confirmed and removed the malicious artifacts. This incident highlights the risks associated with mutable tags in Git-based workflows and the importance of verifying action integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script to include malicious code for credential theft. Specifically, the attacker prepends approximately 105 lines of malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to retroactively poison existing release tags (e.g., \u003ccode\u003e@0.24.0\u003c/code\u003e) to point to the malicious commit.\u003c/li\u003e\n\u003cli\u003eDevelopers\u0026rsquo; CI/CD pipelines reference the compromised \u003ccode\u003etrivy-action\u003c/code\u003e using a poisoned tag (e.g., \u003ccode\u003eaquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a workflow runs, the GitHub Actions runner downloads and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, granting it access to the runner\u0026rsquo;s environment, secrets, and network.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential targets for credential theft.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates credentials and secrets.\u003c/li\u003e\n\u003cli\u003eThe original \u003ccode\u003etrivy\u003c/code\u003e scanner is executed, masking the malicious activity and allowing the workflow to complete normally.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etrivy-action\u003c/code\u003e GitHub Action allowed attackers to steal credentials and secrets from CI/CD pipelines that used the compromised action. Because the malicious code ran with the full privileges of the runner, it had access to sensitive information such as API keys, deployment tokens, and cloud credentials. The number of affected organizations is unknown, but given the widespread adoption of \u003ccode\u003etrivy-action\u003c/code\u003e, the potential impact is significant. Successful exploitation can lead to unauthorized access to cloud resources, code repositories, and other sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipeline configurations for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and audit the integrity of the referenced tags against the known good commits, if available from Aqua Security\u0026rsquo;s advisories.\u003c/li\u003e\n\u003cli\u003eImplement tooling and processes to verify the integrity of third-party GitHub Actions used in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious activity, such as enumeration of processes or unexpected network connections (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs on CI/CD runner environments to identify anomalous script execution (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T06:07:07Z","date_published":"2026-03-31T06:07:07Z","id":"/briefs/2026-04-trivy-action-compromise/","summary":"The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-compromise/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["act","cache-poisoning","rce","github-actions","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eact\u003c/code\u003e project, designed for local execution of GitHub Actions workflows, contains a critical vulnerability affecting versions prior to 0.2.86. The built-in actions/cache server, intended for local caching, inadvertently listens for connections on all network interfaces. This exposure allows any attacker capable of reaching the server, including those on the internet, to create caches with arbitrary keys and retrieve existing cache data. By predicting the cache keys used by local actions, an attacker can inject malicious content into the cache, paving the way for arbitrary remote code execution within the Docker container used by \u003ccode\u003eact\u003c/code\u003e. This vulnerability was addressed in version 0.2.86 of \u003ccode\u003eact\u003c/code\u003e. The CVSS v3.1 base score is 8.2, indicating a high severity threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable \u003ccode\u003eact\u003c/code\u003e instance running a version prior to 0.2.86 with its cache server exposed on all interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed \u003ccode\u003eact\u003c/code\u003e cache server to determine accessible endpoints and version information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes common GitHub Actions workflows and identifies predictable cache keys.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious cache archive containing payloads designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious cache archive to the vulnerable \u003ccode\u003eact\u003c/code\u003e instance using the predicted cache key.\u003c/li\u003e\n\u003cli\u003eA legitimate user triggers a local GitHub Actions workflow using \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eact\u003c/code\u003e instance retrieves the attacker\u0026rsquo;s malicious cache archive instead of the expected legitimate cache.\u003c/li\u003e\n\u003cli\u003eThe malicious payload within the cache is executed within the Docker container, leading to remote code execution on the host system running \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary remote code execution on the host system running the vulnerable version of \u003ccode\u003eact\u003c/code\u003e. This can lead to complete system compromise, data theft, and further lateral movement within the network. The vulnerability affects any user running a version of \u003ccode\u003eact\u003c/code\u003e prior to 0.2.86 with the cache server exposed. While the number of directly affected users is unknown, the potential impact on development environments and CI/CD pipelines is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 0.2.86 or later of the \u003ccode\u003eact\u003c/code\u003e project to remediate the vulnerability (CVE-2026-34042).\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the \u003ccode\u003eact\u003c/code\u003e cache server to only trusted networks and hosts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the \u003ccode\u003eact\u003c/code\u003e cache server for unexpected or unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running \u003ccode\u003eact\u003c/code\u003e to detect potentially malicious processes spawned from Docker containers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T03:15:58Z","date_published":"2026-03-31T03:15:58Z","id":"/briefs/2024-02-29-act-cache-rce/","summary":"A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.","title":"act Project Cache Poisoning Vulnerability Leads to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2024-02-29-act-cache-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nginx","vulnerability","denial-of-service","code-execution","webserver","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in NGINX and NGINX Plus, potentially allowing attackers to perform a range of malicious activities. These include launching denial-of-service (DoS) attacks to disrupt service availability, manipulating sensitive data, bypassing existing security measures, and, in the worst-case scenario, achieving arbitrary code execution on the affected system. Defenders should be aware that although no specific CVEs or attack campaigns are mentioned, the broad range of potential impacts makes patching and detection critical. The scope of these vulnerabilities extends to any organization utilizing NGINX or NGINX Plus as part of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the specific vulnerabilities are not detailed, the following attack chain represents a generalized exploitation scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e The attacker identifies a vulnerable version of NGINX or NGINX Plus through reconnaissance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Development/Acquisition:\u003c/strong\u003e The attacker develops a custom exploit or obtains one from public or private sources targeting the identified vulnerability (e.g., buffer overflow, integer overflow, or configuration flaw).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Selection:\u003c/strong\u003e The attacker identifies a vulnerable NGINX instance exposed to the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Exploitation:\u003c/strong\u003e The attacker sends a specially crafted request to the targeted NGINX server, triggering the vulnerability. This might involve manipulating HTTP headers, crafting specific URL parameters, or exploiting flaws in request handling.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e Depending on the vulnerability, the attacker may need to escalate privileges to gain full control of the system. This could involve exploiting additional vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation/Security Bypass/DoS:\u003c/strong\u003e The attacker leverages the exploited vulnerability to manipulate data served by NGINX, bypass authentication or authorization mechanisms, or initiate a denial-of-service attack by consuming excessive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution (Potential):\u003c/strong\u003e If the vulnerability allows, the attacker executes arbitrary code on the NGINX server, potentially installing malware, establishing persistence, or using the compromised server as a pivot point for further attacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Exfiltration (Potential):\u003c/strong\u003e After gaining a foothold, the attacker may attempt to move laterally within the network, compromising other systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant damage. A denial-of-service attack can disrupt critical services, causing financial losses and reputational damage. Data manipulation can compromise the integrity of information served by NGINX, leading to incorrect decisions or further attacks. Bypassing security measures can grant unauthorized access to sensitive resources. Arbitrary code execution allows the attacker to take complete control of the server, potentially leading to data theft, system compromise, and further attacks on internal infrastructure. The exact number of potential victims is unknown, but it could be extensive given the widespread use of NGINX and NGINX Plus.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NGINX and NGINX Plus to the latest patched versions to remediate known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Suspicious Nginx Configuration Changes\u0026rdquo; Sigma rule to detect unauthorized modifications to the Nginx configuration.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Nginx DoS Attempts\u0026rdquo; Sigma rule to monitor for suspicious traffic patterns indicative of a denial-of-service attack against Nginx.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit exposure of NGINX servers to untrusted networks.\u003c/li\u003e\n\u003cli\u003eRegularly review NGINX configuration files for misconfigurations and security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:14:08Z","date_published":"2026-03-30T10:14:08Z","id":"/briefs/2026-03-nginx-vulns/","summary":"Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.","title":"Multiple Vulnerabilities in NGINX and NGINX Plus","url":"https://feed.craftedsignal.io/briefs/2026-03-nginx-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["incus","template-injection","privilege-escalation","CVE-2026-33897","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIncus, a system container and virtual machine manager, is vulnerable to arbitrary read and write access as root due to a flaw in its instance template handling. Prior to version 6.23.0, the application lacks proper chroot isolation when processing pongo2 templates. These templates, intended for file templating within instances during their lifecycle, bypass the expected chroot, granting access to the entire host filesystem with root privileges. This vulnerability, identified as CVE-2026-33897…\u003c/p\u003e\n","date_modified":"2026-03-26T23:16:20Z","date_published":"2026-03-26T23:16:20Z","id":"/briefs/2024-01-incus-template-vuln/","summary":"A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.","title":"Incus Instance Template Vulnerability CVE-2026-33897","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-template-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rhel","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Red Hat Enterprise Linux, specifically within the 389-ds-base component. This flaw allows a remote, authenticated attacker to execute arbitrary code on the affected system. While the specific nature of the vulnerability isn\u0026rsquo;t detailed, the authentication requirement suggests it likely involves a flaw in how the 389 Directory Server handles authenticated requests. Successful exploitation could lead to complete system compromise, allowing the attacker to install malware, steal sensitive data, or disrupt services. Additionally, the vulnerability has the potential to be leveraged for a denial-of-service (DoS) attack, rendering the system unavailable. Defenders should prioritize patching and monitoring for suspicious activity related to the 389-ds-base service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid credentials for the 389 Directory Server, possibly through credential stuffing, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an authenticated connection to the 389 Directory Server (likely over LDAP or LDAPS).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request that exploits the vulnerability within 389-ds-base. This request could involve a specially formatted LDAP query or modification operation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within 389-ds-base processes the malicious request, leading to arbitrary code execution in the context of the 389 Directory Server process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges to root or another privileged account. This could involve exploiting other vulnerabilities or misconfigurations on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware, backdoors, or other malicious tools on the compromised system.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker triggers a denial-of-service condition, causing the 389 Directory Server to crash or become unresponsive.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, targeting other critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow attackers to gain complete control of Red Hat Enterprise Linux systems running the 389 Directory Server. This could lead to data breaches, system outages, and further compromise of the network. The potential for denial-of-service attacks could disrupt critical services and impact business operations. The number of affected systems depends on the prevalence of 389-ds-base deployments within an organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches provided by Red Hat for the 389-ds-base package to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting 389-ds-base.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for the 389 Directory Server for suspicious login attempts or unusual activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential breach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T09:51:23Z","date_published":"2026-03-25T09:51:23Z","id":"/briefs/2026-03-rhel-code-execution/","summary":"A remote, authenticated attacker can exploit a vulnerability in Red Hat Enterprise Linux (specifically 389-ds-base) to achieve arbitrary code execution and potentially cause a denial of service.","title":"Red Hat Enterprise Linux Vulnerability Leads to Code Execution and Potential DoS","url":"https://feed.craftedsignal.io/briefs/2026-03-rhel-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["linux","kernel","vulnerability","workqueue"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026lsquo;Out-of-Cancel\u0026rsquo; vulnerability class, discovered and detailed in March 2026, highlights a category of security flaws residing within the workqueue cancellation APIs in the Linux kernel. This vulnerability arises when work items are improperly handled during cancellation, potentially leading to use-after-free conditions, race conditions, and other memory corruption issues. The initial report and analysis were published on March 23, 2026. While specific exploits are not detailed in the source material, the nature of kernel vulnerabilities makes them critical for defenders to address. The impact can range from denial of service to privilege escalation and potentially arbitrary code execution within the kernel context. This vulnerability class affects a broad range of Linux systems, making it a widespread concern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user-space program triggers a specific kernel function that queues a work item to a workqueue.\u003c/li\u003e\n\u003cli\u003eThe work item is scheduled for execution, but before it begins, the user-space program requests cancellation of the work item via a workqueue cancellation API.\u003c/li\u003e\n\u003cli\u003eDue to a race condition or improper synchronization, the work item is canceled but not fully removed from the workqueue\u0026rsquo;s internal data structures.\u003c/li\u003e\n\u003cli\u003eThe kernel attempts to access the work item after it has been freed, resulting in a use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eAn attacker manipulates memory layout to place controlled data at the memory location of the freed work item.\u003c/li\u003e\n\u003cli\u003eThe kernel code now operates on the attacker-controlled data, leading to memory corruption or information leakage.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical kernel data structures, such as function pointers or security credentials.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to privilege escalation, allowing the attacker to execute arbitrary code with kernel-level privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u0026lsquo;Out-of-Cancel\u0026rsquo; vulnerability class can lead to severe consequences, including kernel crashes (denial of service), privilege escalation, and potentially arbitrary code execution within the kernel. A successful exploit could allow an attacker to gain complete control over the affected system. Due to the ubiquitous nature of the Linux kernel, a wide range of systems are potentially vulnerable, impacting servers, desktops, embedded systems, and mobile devices. While the exact number of vulnerable systems is unknown, the widespread use of affected kernel versions implies a significant potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor kernel logs for errors related to workqueue cancellations to detect potential exploitation attempts. Enable auditd to log kernel function calls related to workqueue management (audit.rules).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Potential Use-After-Free in Workqueue Cancellation\u003c/code\u003e to identify suspicious kernel events related to workqueue operations.\u003c/li\u003e\n\u003cli\u003eInvestigate any reported kernel panics or crashes, focusing on stack traces that involve workqueue-related functions.\u003c/li\u003e\n\u003cli\u003eStay informed about kernel patches and security advisories related to workqueue vulnerabilities and apply them promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T07:30:12Z","date_published":"2026-03-25T07:30:12Z","id":"/briefs/2026-03-out-of-cancel/","summary":"The 'Out-of-Cancel' vulnerability class stems from flaws in Linux workqueue cancellation APIs, potentially leading to exploitable conditions within the kernel.","title":"Out-of-Cancel Vulnerability Class in Linux Workqueue Cancellation APIs","url":"https://feed.craftedsignal.io/briefs/2026-03-out-of-cancel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["glibc","code-execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in the GNU C Library (glibc) that allows a local attacker to execute arbitrary code. The GNU C Library is a fundamental component of the Linux operating system, providing standard functions for programs. This vulnerability, reported on 2026-03-24, could potentially allow an attacker with local access to gain elevated privileges or compromise the system\u0026rsquo;s integrity by injecting and executing malicious code within the context of vulnerable applications utilizing the affected glibc version. Exploitation requires local access to the system, making it crucial to limit unauthorized access and monitor for suspicious activity. Successful exploitation grants the attacker the same privileges as the compromised application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial local access to a Linux system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application linked against the affected GNU libc library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input specifically designed to exploit the vulnerability within the glibc library. This could involve manipulating function calls, memory allocation, or other glibc functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the vulnerable application with the crafted malicious input.\u003c/li\u003e\n\u003cli\u003eThe malicious input triggers the vulnerability within glibc, allowing the attacker to inject arbitrary code into the application\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected code executes within the context of the vulnerable application, potentially gaining elevated privileges or access to sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised application to further escalate privileges or move laterally within the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code, potentially leading to complete system compromise. The attacker gains the privileges of the user running the vulnerable application. The widespread use of glibc across Linux systems makes this vulnerability a significant threat. While the number of victims is unknown, the potential impact is high across various sectors using Linux-based infrastructure. A successful attack can result in data breaches, system instability, and unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unusual activity indicative of code injection, focusing on processes utilizing glibc functions (Enable process_creation logging).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect glibc Exploitation via Malicious Input\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any abnormal behavior or crashes in applications that rely on glibc.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit unauthorized local access to systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:40:49Z","date_published":"2026-03-24T12:40:49Z","id":"/briefs/2026-03-gnu-libc-code-execution/","summary":"A local attacker can exploit a vulnerability in GNU libc to execute arbitrary program code on Linux systems.","title":"GNU libc Vulnerability Allows Local Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-03-gnu-libc-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","cli","privilege_escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3587 describes a critical vulnerability affecting devices with a command-line interface (CLI). An unauthenticated remote attacker can exploit a hidden function within the CLI prompt to bypass intended restrictions and gain unauthorized access. This vulnerability allows the attacker to escape the restricted CLI environment and obtain root privileges on the underlying Linux-based operating system, leading to a complete system compromise. The vulnerability was reported by CERT VDE. A…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-cli-escape/","summary":"An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface of a device, leading to full compromise and root access on the underlying Linux-based OS, as described in CVE-2026-3587.","title":"Unauthenticated CLI Escape Vulnerability (CVE-2026-3587)","url":"https://feed.craftedsignal.io/briefs/2026-03-cli-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libxslt","rhel","code-execution","file-manipulation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the libxslt library in Red Hat Enterprise Linux (RHEL) that could be exploited by a local attacker. While specific details regarding the vulnerability (CVE number, affected versions) are not provided in this advisory, the potential impact includes arbitrary code execution or manipulation of files on the affected system. Due to the lack of specific details, the scope of targeting remains unknown, but any RHEL system utilizing libxslt is potentially vulnerable. It is imperative that detection engineers address this threat by implementing proactive measures to identify and mitigate potential exploitation attempts, particularly focusing on detecting unexpected behavior associated with libxslt processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a Red Hat Enterprise Linux system. This could be achieved through various means, such as compromising a user account or exploiting a separate vulnerability to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XSLT stylesheet specifically designed to exploit the libxslt vulnerability. This stylesheet could contain code intended for execution or file manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a program or script that leverages libxslt to process the crafted malicious stylesheet. This could involve using command-line tools or applications that rely on libxslt for XML transformations.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the malicious stylesheet, the libxslt vulnerability is triggered, leading to the execution of arbitrary code within the context of the application using libxslt.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges on the system, potentially gaining root access.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses the vulnerability to manipulate files on the system, modifying configurations, injecting malicious code into existing files, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised system, ensuring continued access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could be data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow a local attacker to gain complete control over the affected Red Hat Enterprise Linux system. This may lead to data breaches, system outages, or the installation of backdoors for persistent access. Given the widespread use of RHEL in enterprise environments, a successful attack could have significant consequences across various sectors. The potential for arbitrary code execution and file manipulation makes this a high-severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected or unusual activity involving libxslt binaries using the provided Sigma rule \u003ccode\u003eDetect Suspicious Libxslt Process Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical system files using the Sigma rule \u003ccode\u003eDetect Malicious File Modification via Libxslt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly audit user privileges and access controls to minimize the potential impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified instances of potentially malicious XSLT stylesheets being processed on RHEL systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:16:03Z","date_published":"2026-03-24T10:16:03Z","id":"/briefs/2026-03-rhel-libxslt-vuln/","summary":"A local attacker can exploit a vulnerability in libxslt in Red Hat Enterprise Linux to execute arbitrary program code or manipulate files.","title":"Red Hat Enterprise Linux libxslt Vulnerability Allows Code Execution or File Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-03-rhel-libxslt-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xen","xenstore","denial-of-service","CVE-2026-23555","hypervisor","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-23555 details a vulnerability within the Xenstore component of the Xen hypervisor. A malicious or compromised guest virtual machine (VM) can trigger this vulnerability by issuing a Xenstore command that attempts to access a specific, illegal node path: \u003ccode\u003e/local/domain/\u003c/code\u003e. This improper node path verification leads to a clobbered error indicator within the xenstored process, ultimately causing it to crash due to a failing assert() statement.\u003c/p\u003e\n","date_modified":"2026-03-23T07:16:07Z","date_published":"2026-03-23T07:16:07Z","id":"/briefs/2026-03-xenstore-crash/","summary":"A guest VM issuing a Xenstore command with the node path '/local/domain/' can crash xenstored (CVE-2026-23555), or, if NDEBUG is defined, cause denial of service by consuming all CPU resources.","title":"Xenstore Crash Vulnerability via Malicious Node Path Access (CVE-2026-23555)","url":"https://feed.craftedsignal.io/briefs/2026-03-xenstore-crash/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ebpf","security-agent","autonomous-response","privilege-escalation","c2-blocking","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eInner Warden is an open-source security agent designed to enhance server protection by utilizing eBPF for kernel-level monitoring. The project aims to provide autonomous response capabilities, initially developed to protect an AI agent (OpenClaw). Inner Warden uses eBPF tracepoints (execve, connect, openat), kprobes on commit_creds for detecting privilege escalation, LSM hooks to block execution from /tmp and /dev/shm, and XDP for high-speed IP blocking. It incorporates a detection layer for brute force attacks, port scans, privilege escalations, container escapes, and C2 callbacks. The response layer includes blocking IPs, killing processes, restricting sudo access, and deploying simple honeypots. A distributed mesh architecture allows nodes to share signals about suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through an unspecified vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious binary from \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInner Warden\u0026rsquo;s LSM hook blocks the execution of the binary, preventing the initial execution attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by exploiting a vulnerability, triggering the \u003ccode\u003ecommit_creds\u003c/code\u003e kprobe.\u003c/li\u003e\n\u003cli\u003eInner Warden detects the privilege escalation attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish a command-and-control (C2) connection.\u003c/li\u003e\n\u003cli\u003eInner Warden detects the C2 callback and blocks the attacker\u0026rsquo;s IP address using XDP, preventing further communication.\u003c/li\u003e\n\u003cli\u003eInner Warden nodes share signals of the suspicious activity, prompting other nodes within the mesh to adjust their behavior, increasing security across the distributed environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deployment of Inner Warden could prevent privilege escalation attacks, block execution of malicious code from temporary directories, disrupt command-and-control communication, and mitigate brute force and port scanning attempts. A compromised node could potentially send false positives, but Inner Warden\u0026rsquo;s trust scoring is designed to avoid large-scale disruption. The primary impact is improved host security posture and potentially reduced incident response workload through automated threat mitigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule below to detect executions blocked by Inner Warden\u0026rsquo;s LSM hook from \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the network connection rule to identify C2 callbacks blocked by Inner Warden\u0026rsquo;s XDP-based IP blocking.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the privilege escalation detection rule, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for alerts generated by Inner Warden regarding potential poisoning or false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T12:00:00Z","date_published":"2026-03-22T12:00:00Z","id":"/briefs/2026-03-inner-warden/","summary":"The open-source Inner Warden project is a security agent leveraging eBPF for kernel-level monitoring and autonomous response actions like IP blocking and process termination, aiming to create a distributed security mesh.","title":"Inner Warden Security Agent Capabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-inner-warden/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","cve-2026-3888"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3888 is a local privilege escalation vulnerability affecting Ubuntu systems using snap-confine. The vulnerability exists because systemd-tmpfiles may delete the /tmp/.snap directory, which is normally created by root. An unprivileged user can then recreate this directory and populate it with attacker-controlled files. The snap-confine utility, during subsequent snap sandbox initialization, may then bind-mount or trust these attacker-controlled paths. This can lead to the manipulation…\u003c/p\u003e\n","date_modified":"2026-03-20T08:34:17Z","date_published":"2026-03-20T08:34:17Z","id":"/briefs/2026-03-snap-confine-lpe/","summary":"An unprivileged user may exploit CVE-2026-3888 to escalate privileges to root by creating malicious files in the /tmp/.snap directory.","title":"Potential snap-confine Privilege Escalation via CVE-2026-3888","url":"https://feed.craftedsignal.io/briefs/2026-03-snap-confine-lpe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["persistence","linux","dfir"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePersistnux is a bash-based tool designed to aid security analysts and incident responders in identifying Linux persistence mechanisms employed by attackers. Developed by 0xblake, this tool streamlines the process of detecting various persistence techniques on compromised Linux systems. Persistnux performs comprehensive checks across the system, generating detailed reports in both CSV and JSONL formats for further analysis. Its key feature is its dependency-free operation, relying solely on built-in Linux tools, making it easily deployable on live systems. The tool focuses on detecting known methods used to maintain access, offering a valuable resource for defenders. It uses indicators and confidence scoring to highlight suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a Linux system through methods such as exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Once inside, the attacker attempts to escalate privileges to gain root access using exploits or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment:\u003c/strong\u003e The attacker employs various Linux persistence mechanisms to ensure continued access to the compromised system. These techniques include manipulating init scripts, cron jobs, and systemd services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInit Script Modification:\u003c/strong\u003e The attacker modifies init scripts located in \u003ccode\u003e/etc/init.d/\u003c/code\u003e or \u003ccode\u003e/etc/rc.d/\u003c/code\u003e to execute malicious code during system startup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCron Job Manipulation:\u003c/strong\u003e The attacker schedules malicious tasks using cron jobs by adding entries to \u003ccode\u003e/etc/crontab\u003c/code\u003e or user-specific crontab files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystemd Service Modification:\u003c/strong\u003e The attacker creates or modifies systemd service files in \u003ccode\u003e/etc/systemd/system/\u003c/code\u003e to execute malicious code as a service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReverse Shell Installation:\u003c/strong\u003e The attacker installs a reverse shell to maintain persistent access by connecting back to an attacker-controlled server. This may involve techniques like download-execute or obfuscation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Activity:\u003c/strong\u003e With persistent access established, the attacker proceeds to exfiltrate sensitive data, deploy ransomware, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and persistence within a Linux environment can allow attackers to maintain long-term access, leading to data theft, system disruption, or the deployment of ransomware. The impact can range from data breaches and financial losses to reputational damage and operational downtime. The scope of impact depends on the level of access gained and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting init script modifications to identify potential persistence attempts (reference: Sigma rule for init script modification).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting cron job modifications to identify potential persistence attempts (reference: Sigma rule for cron job modification).\u003c/li\u003e\n\u003cli\u003eRegularly audit systemd service configurations for unauthorized modifications using the Sigma rule (reference: Sigma rule for systemd service modification).\u003c/li\u003e\n\u003cli\u003eUse Persistnux or similar tools to regularly scan systems for known persistence mechanisms and review the generated reports (reference: Persistnux tool).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T12:00:00Z","date_published":"2026-03-17T12:00:00Z","id":"/briefs/2026-03-persistnux-tool/","summary":"Persistnux is a bash-based tool designed to identify known Linux persistence mechanisms used by attackers to maintain access to compromised systems, generating detailed reports for DFIR analysis.","title":"Persistnux - Linux Persistence Detection Tool","url":"https://feed.craftedsignal.io/briefs/2026-03-persistnux-tool/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apparmor","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIn March 2026, Qualys disclosed a set of critical vulnerabilities collectively named \u0026ldquo;CrackArmor\u0026rdquo; affecting AppArmor, a Linux kernel security module. These flaws allow a local attacker to escalate privileges to root. While specific CVEs were not detailed in the initial Reddit post, the Qualys blog (linked in the source) will likely contain them. The vulnerabilities stem from weaknesses in AppArmor\u0026rsquo;s parsing and enforcement mechanisms, allowing for crafted AppArmor profiles or interactions with existing profiles to bypass security restrictions. This poses a significant risk to any Linux system using AppArmor for security, potentially leading to complete system compromise. Defenders need to investigate patching and workarounds immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to a vulnerable Linux system.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious AppArmor profile or modifies an existing one to exploit parsing vulnerabilities. This could involve exploiting weaknesses in how AppArmor handles specific characters, escape sequences, or profile directives.\u003c/li\u003e\n\u003cli\u003eThe attacker loads the crafted profile using \u003ccode\u003eapparmor_parser\u003c/code\u003e or a similar tool.\u003c/li\u003e\n\u003cli\u003eThe vulnerable AppArmor implementation fails to correctly parse the profile, leading to a bypass of security restrictions.\u003c/li\u003e\n\u003cli\u003eAttacker executes a program or script that would normally be blocked by AppArmor under a correctly enforced profile.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed restrictions, the attacker gains access to resources or capabilities normally restricted to the root user.\u003c/li\u003e\n\u003cli\u003eAttacker leverages these elevated privileges to execute arbitrary commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise, including data exfiltration, installation of malware, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a local, unprivileged attacker to gain complete control over a vulnerable Linux system. This can lead to data breaches, system downtime, and the installation of persistent backdoors. The scope of impact depends on the prevalence of vulnerable AppArmor versions in different Linux distributions. Systems relying on AppArmor for security isolation are particularly at risk, potentially undermining container security or application sandboxing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConsult the Qualys blog post (linked in references) for specific CVE identifiers and patch information as soon as it is released.\u003c/li\u003e\n\u003cli\u003eApply patches for AppArmor as soon as they become available from your Linux distribution vendor.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for suspicious use of \u003ccode\u003eapparmor_parser\u003c/code\u003e and other AppArmor utilities.\u003c/li\u003e\n\u003cli\u003eAudit existing AppArmor profiles for potential vulnerabilities and misconfigurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T12:00:00Z","date_published":"2026-03-17T12:00:00Z","id":"/briefs/2026-03-crackarmor-lpe/","summary":"Qualys discovered critical vulnerabilities in AppArmor, enabling local privilege escalation to root on vulnerable Linux systems.","title":"CrackArmor: AppArmor Flaws Enable Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-03-crackarmor-lpe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026rsquo;env\u0026rsquo; command in Linux is typically used to run a program in a modified environment without altering the existing environment variables. However, attackers can abuse this command to invoke a shell directly, potentially bypassing restricted environments. This is often a technique used for privilege escalation or executing arbitrary commands in situations where direct shell access is limited. This activity matters for defenders because it can indicate an attacker attempting to gain…\u003c/p\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-env-shell-invocation/","summary":"The 'env' command is used to invoke a shell on Linux systems, potentially bypassing restricted environments or escalating privileges to execute arbitrary commands.","title":"Linux Shell Invocation via Env Command","url":"https://feed.craftedsignal.io/briefs/2024-10-env-shell-invocation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","container","auditd","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e being executed from within containers managed by \u003ccode\u003erunc\u003c/code\u003e on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title \u003ccode\u003erunc init\u003c/code\u003e that then execute \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of \u003ccode\u003erunc init\u003c/code\u003e suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a containerized application running on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded tools to further compromise the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the data exfiltration process using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to send the staged data to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Curl or Wget Execution from Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditd Manager with syscall coverage including \u003ccode\u003eexecve\u003c/code\u003e to capture process execution and arguments within containers, as mentioned in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.\u003c/li\u003e\n\u003cli\u003eBaseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule\u0026rsquo;s false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-curl-wget-container-execution/","summary":"This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.","title":"Curl or Wget Execution from Container Context","url":"https://feed.craftedsignal.io/briefs/2024-01-curl-wget-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","log-clearing","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers often remove or modify system logs to hide their actions and hinder forensic investigations. This activity involves the use of common Linux utilities to delete or overwrite log files, making it difficult to trace the attacker\u0026rsquo;s entry point, lateral movement, and actions performed on the system. Log clearing is a common post-exploitation technique used by a wide range of threat actors across various campaigns. This brief focuses on detecting the usage of common utilities like \u003ccode\u003erm\u003c/code\u003e…\u003c/p\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-linux-log-clearing/","summary":"Adversaries attempt to clear Linux system logs using utilities like rm, rmdir, shred, and unlink to conceal malicious activity and evade detection.","title":"Linux Log Clearing Attempts via Common Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-09-linux-log-clearing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies a potential privilege escalation vulnerability within container environments utilizing \u003ccode\u003erunc\u003c/code\u003e, the low-level container runtime used by Docker and containerd. The rule focuses on audit events triggered by \u003ccode\u003erunc init\u003c/code\u003e child processes. Specifically, it flags instances where the effective user ID is root (0), while the login user ID is not root. This discrepancy can indicate malicious activity, such as exploiting credential separation or namespace transitions to gain unauthorized root privileges within the container or escape to the host. This is relevant for defenders because a compromised container can lead to host compromise, data exfiltration, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a container with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container to execute code as the \u003ccode\u003erunc init\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunc init\u003c/code\u003e process spawns a child process while retaining a non-root user ID in audit telemetry.\u003c/li\u003e\n\u003cli\u003eThe child process is assigned an effective user ID of 0 (root), bypassing normal permission controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to modify sensitive files or execute commands as root within the container\u0026rsquo;s namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escape the container by exploiting kernel vulnerabilities or misconfigurations to gain access to the host system.\u003c/li\u003e\n\u003cli\u003eUpon gaining access to the host system, the attacker can install malware, steal sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack within a container environment can lead to complete compromise of the container and potentially the host system. This can result in data breaches, service disruptions, and unauthorized access to sensitive resources. The impact is significant because a single compromised container can become a launchpad for attacks against other containers or the underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Privilege Escalation via Runc Init\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003erunc init\u003c/code\u003e process executions.\u003c/li\u003e\n\u003cli\u003eEnable Linux audit logging via the Auditd Manager integration, ensuring that \u003ccode\u003eexecve\u003c/code\u003e and identity-related fields are captured.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the full audit event details, including process ancestry, user IDs, and container metadata.\u003c/li\u003e\n\u003cli\u003eReview container configurations and security profiles to identify potential misconfigurations that could facilitate privilege escalation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a compromised container.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T14:22:00Z","date_published":"2024-01-05T14:22:00Z","id":"/briefs/2024-01-runc-privilege-escalation/","summary":"Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.","title":"Potential Privilege Escalation in Container via Runc Init","url":"https://feed.craftedsignal.io/briefs/2024-01-runc-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","machine-learning","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from a machine learning job designed to detect anomalous command-line activity on Linux systems. Specifically, it focuses on identifying instances where privileged commands are executed with unusually high entropy. High entropy in command lines often signifies obfuscation, which threat actors use to mask their activities and evade detection. This rule leverages the Privileged Access Detection (PAD) integration from Elastic to identify these anomalies. The PAD integration requires Linux logs collected by Elastic Defend or Sysmon Linux. The detection logic analyzes command lines associated with privileged commands, flagging those with a high degree of randomness or complexity. This can indicate unauthorized use of valid accounts (T1078) or attempts at privilege escalation, especially if combined with defense evasion techniques (T1027) such as obfuscating commands. The rule and associated ML job have been in production since Feb 2025 and require Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through a compromised account or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged commands they need to execute to achieve their objectives, such as gaining root access or modifying sensitive files.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the attacker obfuscates their commands using techniques like encoding, compression, or complex string manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the obfuscated privileged commands via the command line.\u003c/li\u003e\n\u003cli\u003eElastic Defend or Sysmon Linux captures the command-line activity and logs it to Elasticsearch.\u003c/li\u003e\n\u003cli\u003eThe Privileged Access Detection ML job analyzes the command lines and calculates their entropy.\u003c/li\u003e\n\u003cli\u003eIf the entropy exceeds a predefined threshold, the ML job flags the activity as anomalous and generates an alert.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the nature of the suspicious activity and take appropriate action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation can grant an attacker complete control over a Linux system, allowing them to steal sensitive data, install malware, or disrupt critical services. While this rule itself triggers on unusual command line activity, the underlying behavior could lead to a full system compromise. The number of potential victims is directly related to the scope of the Linux environment being monitored. Sectors commonly targeted by privilege escalation attacks include technology, finance, and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Privileged Access Detection integration and ensure that Linux logs from Elastic Defend or Sysmon Linux are being ingested (Setup section).\u003c/li\u003e\n\u003cli\u003eReview and tune the machine learning job \u003ccode\u003epad_linux_high_median_process_command_line_entropy_by_user_ea\u003c/code\u003e to minimize false positives based on your environment (False positive analysis section in rule).\u003c/li\u003e\n\u003cli\u003eCreate a case management workflow triggered by the \u0026ldquo;High Command Line Entropy Detected for Privileged Commands\u0026rdquo; rule to ensure alerts are promptly investigated.\u003c/li\u003e\n\u003cli\u003eImplement the remediation steps outlined in the investigation guide to contain and eradicate any confirmed malicious activity (Response and remediation section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-high-command-line-entropy/","summary":"A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.","title":"High Command Line Entropy Detected for Privileged Commands on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-high-command-line-entropy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["file-integrity","privilege-escalation","persistence","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers often target sensitive and critical files on Linux systems to maintain persistence, escalate privileges, or disrupt system operations. These files include system configuration files, authentication files, and critical application files. Monitoring changes to these files is crucial for detecting malicious activity. This brief focuses on identifying suspicious process executions that could indicate unauthorized modification of sensitive files. The detection strategy covers processes…\u003c/p\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-sensitive-file-modification/","summary":"This threat brief covers the detection of suspicious processes modifying sensitive files on Linux systems, potentially indicating malicious attempts to persist, escalate privileges, or disrupt system operations.","title":"Suspicious Modification of Sensitive Linux Files","url":"https://feed.craftedsignal.io/briefs/2024-01-sensitive-file-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","container"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies instances where the \u003ccode\u003ensenter\u003c/code\u003e command is used to enter a process namespace, specifically targeting a PID. This technique is often employed to attach to the host\u0026rsquo;s init namespace from a container or session, effectively allowing the attacker to execute commands within the host\u0026rsquo;s context. This behavior is concerning because it can be used to escalate privileges and gain unauthorized access to the underlying system. This is especially relevant in containerized environments where attackers may attempt to escape the container and access the host system. The rule leverages Auditd logs to identify these \u003ccode\u003ensenter\u003c/code\u003e executions, focusing on those that include the \u003ccode\u003e--target\u003c/code\u003e or \u003ccode\u003e-t\u003c/code\u003e flags, which specify the target PID for namespace entry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container or a restricted session on a Linux host.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target PID, often the init process (PID 1), to enter its namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003ensenter\u003c/code\u003e command with the \u003ccode\u003e--target\u003c/code\u003e or \u003ccode\u003e-t\u003c/code\u003e flag, specifying the target PID. Additional namespace flags like \u003ccode\u003e--mount\u003c/code\u003e, \u003ccode\u003e--uts\u003c/code\u003e, \u003ccode\u003e--ipc\u003c/code\u003e, \u003ccode\u003e--net\u003c/code\u003e, and \u003ccode\u003e--user\u003c/code\u003e may also be used.\u003c/li\u003e\n\u003cli\u003eAuditd logs the \u003ccode\u003ensenter\u003c/code\u003e execution, capturing the process name, arguments, and other relevant metadata.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the \u003ccode\u003ensenter\u003c/code\u003e execution based on the command name and the presence of the \u003ccode\u003e--target\u003c/code\u003e or \u003ccode\u003e-t\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe attacker, now within the target PID\u0026rsquo;s namespace, executes commands with the privileges of that process. This may include reading sensitive files, modifying system configurations, or executing malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the escalated privileges to further compromise the host system, potentially gaining root access or deploying malware.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence mechanisms to maintain access to the compromised host, such as creating new systemd units or modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of the host system. Attackers can gain root privileges, access sensitive data, and deploy malware. In containerized environments, this can allow attackers to escape the container and access the underlying host, potentially affecting other containers running on the same host. The impact is especially significant in production environments where compromised hosts can disrupt critical services and expose sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Auditd Manager integration on Linux hosts to collect process execution telemetry, as specified in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Nsenter to PID Namespace via Auditd\u0026rdquo; to detect suspicious \u003ccode\u003ensenter\u003c/code\u003e executions.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule by excluding known false positives, such as legitimate \u003ccode\u003ensenter\u003c/code\u003e executions by platform engineers or CNI/snap workflows, as mentioned in the \u003ca href=\"#false-positive-analysis\"\u003efalse positives section\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003ensenter\u003c/code\u003e executions by reviewing process arguments, parent processes, user identities, and host information, as outlined in the \u003ca href=\"#triage-and-analysis\"\u003etriage and analysis section\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIsolate any compromised hosts, revoke credentials, inspect for persistence, and re-image if integrity cannot be proven, as recommended in the \u003ca href=\"#response-and-remediation\"\u003eresponse and remediation section\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-nsenter-pid-namespace/","summary":"This rule detects nsenter executions that target a PID with a namespace target flag, a common pattern used to attach to the host init namespace from a container or session and run with host context, potentially escalating privileges.","title":"Nsenter to PID Namespace via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-03-nsenter-pid-namespace/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers can leverage cron jobs to schedule malicious tasks for persistence, privilege escalation, and execution of arbitrary code on compromised Linux systems. This involves creating or modifying cron files in specific directories such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e, \u003ccode\u003e/etc/cron.daily/\u003c/code\u003e, \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e, and others. The creation of unexpected cron files by non-administrative users or during suspicious timeframes warrants investigation. While not all cron file creations are malicious, the potential for abuse necessitates monitoring for anomalous activity. Detecting the creation of new cron files can help identify potential persistence mechanisms being deployed by malicious actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies cron job directories, such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e or \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new cron file within one of these directories.\u003c/li\u003e\n\u003cli\u003eThe cron file contains malicious commands or scripts designed to execute at a specific time or interval. This could include commands to download and execute malware or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe cron daemon automatically executes the commands specified in the newly created cron file according to the defined schedule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, allowing them to maintain control even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by scheduling commands that run with elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the persistent access to perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can grant attackers persistent access to compromised Linux systems, potentially leading to privilege escalation and unauthorized execution of arbitrary code. This can lead to data breaches, system compromise, and disruption of services. The impact is magnified if the compromised system has access to sensitive information or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect New Cron File Creation\u0026rdquo; to your SIEM to detect the creation of cron files in cron directories and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in cron directories such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e, \u003ccode\u003e/etc/cron.daily/\u003c/code\u003e, \u003ccode\u003e/etc/cron.hourly/\u003c/code\u003e, \u003ccode\u003e/etc/cron.monthly/\u003c/code\u003e, \u003ccode\u003e/etc/cron.weekly/\u003c/code\u003e, \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e, and \u003ccode\u003e/var/spool/cron/root\u003c/code\u003e using file_event logs.\u003c/li\u003e\n\u003cli\u003eBaseline normal cron file creation activity and apply additional filters to reduce false positives based on the specific environment, as mentioned in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-linux-cron-persistence/","summary":"An attacker may create new cron files in cron directories to establish persistence on a Linux system, potentially leading to privilege escalation and arbitrary code execution.","title":"Linux Cron File Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-03-linux-cron-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubelet","Elastic Defend","auditd_manager"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","lateral-movement","kubelet","linux","container"],"_cs_type":"advisory","_cs_vendors":["Elastic","Kubernetes"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious network connections to the Kubernetes Kubelet API, specifically targeting ports 10250 and 10255, from Linux hosts within internal network ranges. Attackers frequently exploit weak authentication or network controls to access the Kubelet API, potentially enabling them to enumerate pods, retrieve logs, and execute commands on nodes. This activity often originates from common scripting utilities like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or interpreters like \u003ccode\u003epython\u003c/code\u003e and \u003ccode\u003enode\u003c/code\u003e, particularly when executed from world-writable directories such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e. This technique is often a component of container and cluster lateral movement, where the attacker seeks to expand their access within the Kubernetes environment. The rule is designed to detect these unauthorized attempts and alert security teams to investigate potential breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised container or host within the Kubernetes cluster, potentially through exploiting a vulnerability in a running application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command, such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, from within the compromised container, targeting the Kubelet API on port 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e command is executed from a temporary directory like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate running pods and services by querying the \u003ccode\u003e/pods\u003c/code\u003e or \u003ccode\u003e/runningpods\u003c/code\u003e endpoints of the Kubelet API.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker identifies a target pod within the cluster based on the enumerated information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Kubelet API to execute commands within the target pod, potentially escalating privileges or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other nodes or containers within the Kubernetes cluster, repeating the reconnaissance and exploitation steps.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to gain control over the entire Kubernetes cluster, enabling data exfiltration, resource hijacking, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Kubelet API can lead to a complete compromise of the Kubernetes cluster. Attackers can gain unauthorized access to sensitive data, escalate privileges, and disrupt critical services. While the number of victims may vary depending on the organization\u0026rsquo;s security posture, a successful attack could impact all applications and data managed by the cluster. Organizations in any sector utilizing Kubernetes are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable syscall auditing and ensure that \u003ccode\u003eevent.category:network\u003c/code\u003e events are generated for network connections, as outlined in the rule\u0026rsquo;s setup guide.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eRestrict pod-to-node access to port 10250 using network policies or security groups to limit the attack surface, as noted in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement Kubernetes API audit logging to detect unauthorized access attempts and credential access, correlating with process argument telemetry as mentioned in the triage steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-kubelet-api-connection/","summary":"The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.","title":"Kubelet API Connection Attempt to Internal IP","url":"https://feed.craftedsignal.io/briefs/2024-01-kubelet-api-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager","Docker","containerd","kubelet"],"_cs_severities":["medium"],"_cs_tags":["container","privilege-escalation","lateral-movement","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Docker","Kubernetes"],"content_html":"\u003cp\u003eThis threat involves unauthorized processes connecting directly to container runtime sockets (Docker or Containerd) on Linux systems. This bypasses Kubernetes API server restrictions, potentially allowing attackers to create, execute, or manipulate containers without proper authorization or logging. The risk lies in attackers circumventing RBAC, admission webhooks, and pod security standards. The attack can start when a compromised process attempts to connect to the Docker or Containerd socket, potentially leading to privilege escalation and lateral movement within the containerized environment. This attack is significant because it undermines core security controls within container orchestration platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised process gains initial access to the host system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to connect to the container runtime socket (e.g., \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e or \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe process bypasses the Kubernetes API server and associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the direct socket connection to create a new container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data or resources within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised container to move laterally to other containers or hosts within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Kubernetes security measures, create unauthorized containers, and potentially gain control over the entire cluster. The observed impact includes privilege escalation, lateral movement, and data exfiltration. The severity of this attack depends on the level of access granted to the compromised container and the sensitivity of the data and resources within the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to capture network and socket events, specifically monitoring for \u003ccode\u003econnect\u003c/code\u003e calls to Unix sockets as described in the \u003ca href=\"https://docs.elastic.co/integrations/auditd_manager\"\u003eAuditd Manager documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Connecting to Docker or Containerd Socket\u0026rdquo; to detect suspicious processes connecting to container runtime sockets, tuning \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e for known legitimate processes.\u003c/li\u003e\n\u003cli\u003eMonitor file permissions on the socket paths (\u003ccode\u003e/var/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/var/run/containerd/containerd.sock\u003c/code\u003e, \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e) and restrict access to trusted groups only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-container-socket-connection/","summary":"An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.","title":"Unusual Process Connecting to Docker or Containerd Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-container-socket-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","suid","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious executions of common privilege elevation tools on Linux systems. It focuses on instances where binaries like \u003ccode\u003esu\u003c/code\u003e, \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003epkexec\u003c/code\u003e, \u003ccode\u003epasswd\u003c/code\u003e, \u003ccode\u003echsh\u003c/code\u003e, and \u003ccode\u003enewgrp\u003c/code\u003e are executed with root privileges but are initiated by a non-root user. The rule further refines its focus by analyzing the parent process context, specifically looking for interpreters (Python, Perl, Ruby, etc.), commands executed from user-writable directories (/tmp, /var/tmp, /dev/shm, /home, /run/user), or short shell command invocations. The detection is designed to uncover potential privilege escalation attempts that may be indicative of malicious activity. This is important because attackers frequently use SUID binaries to elevate privileges, and detecting unusual usage patterns can help identify compromised systems or insider threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-privileged user gains initial access to the system, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a user-writable directory such as \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/home/\u0026lt;user\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious script or uses a one-liner command to invoke a SUID binary.\u003c/li\u003e\n\u003cli\u003eThe SUID binary (e.g., \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003epkexec\u003c/code\u003e, \u003ccode\u003esu\u003c/code\u003e) is executed with minimal arguments.\u003c/li\u003e\n\u003cli\u003eThe system executes the command with root privileges due to the SUID bit being set on the binary.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to modify system files, install malicious software, or create new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID binaries can lead to full system compromise. An attacker can gain complete control over the affected Linux system, potentially leading to data breaches, service disruptions, and the installation of persistent malware. This can affect critical infrastructure and sensitive data, causing significant financial and reputational damage. The severity is amplified when multiple systems are compromised, allowing for lateral movement and further exploitation within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and ensure that \u003ccode\u003eprocess.user.id\u003c/code\u003e, \u003ccode\u003eprocess.real_user.id\u003c/code\u003e, and \u003ccode\u003eprocess.parent.user.id\u003c/code\u003e are being captured to activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious SUID Binary Execution\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview authentication and sudoers policies to identify and remediate any misconfigurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the SUID binary execution and the parent process context.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive system binaries and directories, particularly those related to privilege escalation, to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRestrict the use of SUID binaries where possible and enforce strict permissions on those that are necessary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-suid-execution/","summary":"This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.","title":"Suspicious SUID Binary Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Agent Auditd Manager","EKS","Azure","gcloud","Docker"],"_cs_severities":["high"],"_cs_tags":["credential-access","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Amazon","Microsoft","Google","Docker"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to sensitive identity files on Linux systems. It leverages Auditd to monitor file access events and flags processes that are commonly used for copying, scripting, or staging files from temporary directories. The targeted files include Kubernetes service account tokens, kubelet configurations, cloud CLI configurations for AWS, Azure, and Google Cloud, root SSH keys, and Docker configurations. These files are critical for authentication and authorization within the system, and unauthorized access could lead to credential theft, privilege escalation, or lateral movement. This is especially important in cloud environments and containerized deployments where these files are commonly used for managing access to resources. The rule is designed to exclude user home paths to avoid false positives and focus on system-level access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through various means, such as exploiting a vulnerability or compromising credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ecat\u003c/code\u003e, or \u003ccode\u003ecurl\u003c/code\u003e to access sensitive files such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e or \u003ccode\u003e/root/.ssh/id_rsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAuditd logs the file access event, capturing details about the process, user, and file path.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the suspicious process based on its name, executable path (e.g., \u003ccode\u003e/tmp/*\u003c/code\u003e), or command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe rule checks if the accessed file is in the list of sensitive identity files.\u003c/li\u003e\n\u003cli\u003eIf both conditions are met, the rule triggers an alert, indicating potential unauthorized access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access cloud resources or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and financial losses. The targeted files contain credentials for Kubernetes clusters, cloud environments (AWS, Azure, Google Cloud), and SSH keys, potentially impacting a wide range of resources. The impact is particularly severe in environments where these credentials are used for managing critical infrastructure or accessing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Auditd Manager integration with the specified audit rules in the provided setup steps to monitor access to sensitive identity files on Linux systems. Ensure auditd is properly configured and running (\u003ccode\u003eauditctl -l\u003c/code\u003e) to generate the necessary logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious processes accessing sensitive identity files and tune them for your environment by excluding legitimate processes or users as needed.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the process name, executable, parent command line, and the accessed file path to determine the legitimacy of the access.\u003c/li\u003e\n\u003cli\u003eReview and harden file permissions on shared credential stores to prevent unauthorized access. Rotate exposed keys and tokens and invalidate cloud sessions if a compromise is suspected, as suggested in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sensitive-identity-file-access/","summary":"This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.","title":"Suspicious Process Accessing Sensitive Identity Files via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-sensitive-identity-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pyp2spec (\u003c 0.14.1)"],"_cs_severities":["high"],"_cs_tags":["code-injection","supply-chain","rpm","linux"],"_cs_type":"advisory","_cs_vendors":["pip","Fedora"],"content_html":"\u003cp\u003epyp2spec, a tool for generating RPM spec files from PyPI packages, contains a code injection vulnerability affecting versions prior to 0.14.1. The vulnerability stems from the tool\u0026rsquo;s failure to properly escape RPM macro directives when writing PyPI package metadata (such as the summary field) into the generated spec file. This allows a malicious PyPI package to inject arbitrary commands into the spec file, which are then executed when an RPM tool processes the file. This poses a significant risk to package maintainers and build systems, particularly within the Fedora ecosystem where compromised credentials can lead to widespread supply chain attacks. The realistic attack vector involves typosquatting or targeting packages known to be under review.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PyPI package containing specially formatted metadata, including an RPM macro directive (e.g., within the package summary).\u003c/li\u003e\n\u003cli\u003eA Fedora packager, intending to package a legitimate Python package, uses \u003ccode\u003epyp2spec\u003c/code\u003e to generate an RPM spec file from the malicious PyPI package.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epyp2spec\u003c/code\u003e writes the attacker-controlled metadata, including the unescaped RPM macro directive, into the generated spec file.\u003c/li\u003e\n\u003cli\u003eThe packager, or an automated system, uses an RPM tool like \u003ccode\u003erpmbuild -bs\u003c/code\u003e, \u003ccode\u003erpmbuild --nobuild\u003c/code\u003e, or \u003ccode\u003erpm -q --specfile\u003c/code\u003e to inspect or build the package from the spec file.\u003c/li\u003e\n\u003cli\u003eThe RPM tool parses the spec file and, upon encountering the RPM macro directive, executes the embedded command.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s command executes on the build machine, potentially granting the attacker access to the packager\u0026rsquo;s credentials (dist-git SSH keys, Koji build credentials, Bodhi update credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to commit malicious source code to the distribution\u0026rsquo;s Git repository (dist-git).\u003c/li\u003e\n\u003cli\u003eThe malicious code is built and distributed to end users through the normal package update pipeline, resulting in a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the build machine. This can lead to the compromise of sensitive credentials, such as SSH keys and build system credentials. In the Fedora ecosystem, this could enable an attacker to inject malicious code into packages that are distributed to end users, potentially affecting millions of systems. The vulnerability poses a high risk to package maintainers and build systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003epyp2spec\u003c/code\u003e version 0.14.1 or later to remediate the code injection vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-r35x-v8p8-xvhw)\"\u003ehttps://github.com/advisories/GHSA-r35x-v8p8-xvhw)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on RPM spec files, alerting on unexpected modifications, to detect potentially malicious injected code. Use file_event logs with a rule like the one below.\u003c/li\u003e\n\u003cli\u003eMonitor process executions originating from RPM tools (\u003ccode\u003erpmbuild\u003c/code\u003e, \u003ccode\u003erpm\u003c/code\u003e), focusing on unusual or unexpected commands that could indicate exploitation, using process_creation logs and the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pyp2spec-code-injection/","summary":"pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.","title":"pyp2spec Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-pyp2spec-code-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["execution","defense-evasion","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers are increasingly leveraging Python one-liners with base64 encoding on Linux systems to deliver and execute malicious payloads. This technique allows for effective obfuscation, making it harder for conventional security solutions to detect the true nature of the executed commands. The use of \u003ccode\u003ebase64\u003c/code\u003e within Python scripts executed directly from the command line is a red flag, as it is rarely observed in standard administrative tasks but is frequently used to hide malicious intent. Defenders must prioritize detecting this behavior to uncover potentially compromised systems and prevent further escalation. This activity has been observed in conjunction with fake AI websites used to deliver malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through an undisclosed method (e.g., exploiting a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a script containing a base64-encoded payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python one-liner, invoking the \u003ccode\u003epython\u003c/code\u003e interpreter.\u003c/li\u003e\n\u003cli\u003eThe Python script imports the \u003ccode\u003ebase64\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe script decodes the base64-encoded payload using functions like \u003ccode\u003eb64decode\u003c/code\u003e, \u003ccode\u003eb32decode\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe decoded payload is executed using \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eexec()\u003c/code\u003e within the same Python one-liner.\u003c/li\u003e\n\u003cli\u003eThe executed payload establishes persistence, downloads further malware, or performs lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full system compromise, data exfiltration, or the deployment of persistent backdoors. The obfuscation techniques make detection difficult, potentially allowing attackers to operate undetected for extended periods. While the specific number of victims and targeted sectors remain unknown, the technique\u0026rsquo;s effectiveness in evading security measures makes it a high-priority threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Python Base64 One-Liners - Linux\u0026rdquo; to your SIEM to detect the execution of Python one-liners utilizing base64 decoding (logsource: process_creation/linux).\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events matching the Sigma rule, focusing on the parent processes and executed commands to identify the source of the malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation logs on Linux systems to ensure visibility of command-line execution, which is essential for detecting this type of attack (logsource: process_creation/linux).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts, mitigating the risk of malicious payload execution after decoding.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-python-base64-linux/","summary":"This brief focuses on detecting the execution of Python one-liners utilizing base64 decoding functions on Linux systems, a technique employed by malicious actors to obfuscate and execute payloads, thereby evading traditional security measures.","title":"Detection of Python Base64 Encoded Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-python-base64-linux/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","privilege-escalation","persistence","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers may leverage the \u003ccode\u003echmod\u003c/code\u003e command on Linux systems to modify file permissions in sensitive directories. This can be used to establish persistence by altering permissions of startup scripts or cron jobs, escalate privileges by modifying permissions of sensitive binaries or configuration files, or disrupt system operations by restricting access to critical system resources. The referenced SysJoker malware has been observed using similar techniques. Detecting anomalous \u003ccode\u003echmod\u003c/code\u003e activity…\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-chmod-sensitive-directories/","summary":"Attackers may use chmod to modify file permissions within sensitive Linux directories such as /tmp/, /etc/, and /opt/ to maintain persistence, escalate privileges, or disrupt system operations.","title":"Chmod Activity Targeting Sensitive Linux Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chmod-sensitive-directories/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko","go/chainguard.dev/apko"],"_cs_severities":["high"],"_cs_tags":["package-substitution","supply-chain","linux"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eApko, a tool for building container images, is susceptible to a critical package substitution vulnerability in versions prior to 1.2.7. The vulnerability stems from the tool\u0026rsquo;s failure to validate downloaded \u003ccode\u003e.apk\u003c/code\u003e packages against the checksums recorded in the signed \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e file. While Apko does verify the signature on the index and parses the checksums, it does not compare these checksums against the downloaded packages during the \u003ccode\u003egetPackageImpl()\u003c/code\u003e function. This oversight can allow an attacker with the ability to manipulate download responses, such as through compromised mirrors, HTTP repositories, or poisoned CDN caches, to inject malicious or unintended packages into the built container images. This issue was reported by Oleh Konko from 1seal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a mirror, HTTP repository, or poisons a CDN cache used by apko.\u003c/li\u003e\n\u003cli\u003eA user initiates an apko build process, specifying a package to be included in the image.\u003c/li\u003e\n\u003cli\u003eApko requests the specified package from the compromised source.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the legitimate package with a malicious or altered \u003ccode\u003e.apk\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eApko downloads the substituted package.\u003c/li\u003e\n\u003cli\u003eApko verifies the signature on \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e but fails to validate the downloaded \u003ccode\u003e.apk\u003c/code\u003e package against the checksum in the index.\u003c/li\u003e\n\u003cli\u003eApko installs the malicious or altered package into the container image.\u003c/li\u003e\n\u003cli\u003eThe resulting container image is built with the compromised package, potentially leading to arbitrary code execution or other malicious activity when the image is deployed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary packages into container images built with vulnerable versions of apko. This can lead to a variety of adverse outcomes, including arbitrary code execution within containers, data exfiltration, and denial-of-service attacks. The lack of package validation provides a significant opportunity for attackers to compromise the integrity of containerized applications and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to apko version 1.2.7 or later once a fix is available from the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected connections to untrusted or unusual package repositories using network connection logs and create rules to alert on such activity.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring on the build system to detect unauthorized modification of files, specifically focusing on downloaded packages. This can be achieved through file integrity monitoring tools that generate file_event logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process executions within containers shortly after the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-apko-package-substitution/","summary":"Apko versions prior to 1.2.7 are vulnerable to package substitution due to not verifying downloaded apk packages against the APKINDEX checksum, potentially allowing an attacker who can substitute download responses to install arbitrary packages into built images.","title":"Apko Package Substitution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-package-substitution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Auditbeat","Elastic Endgame","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","container-escape","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003eunshare\u003c/code\u003e command in Linux is a utility used to create new namespaces, providing isolation for processes. While crucial for containerization and security, attackers can misuse \u003ccode\u003eunshare\u003c/code\u003e to escape container boundaries or escalate privileges by manipulating system namespaces. This occurs by creating namespaces that bypass established security controls. This activity is often observed when threat actors attempt to gain unauthorized access to host resources or elevate their privileges within a compromised system. The focus of this detection is on identifying unusual \u003ccode\u003eunshare\u003c/code\u003e executions that deviate from legitimate system management activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through exploiting a vulnerability in a containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eunshare\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eunshare\u003c/code\u003e creates new namespaces, isolating the attacker\u0026rsquo;s process from the rest of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to mount sensitive directories from the host system into the new namespace.\u003c/li\u003e\n\u003cli\u003eUsing the newly gained access, the attacker attempts to modify system files, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e or \u003ccode\u003e/etc/shadow\u003c/code\u003e, to create new privileged accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to install persistent backdoors or malware on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via \u003ccode\u003eunshare\u003c/code\u003e can lead to privilege escalation, container escape, and unauthorized access to sensitive resources on the host system. The impact includes potential data breaches, system compromise, and lateral movement within the network. While the number of victims is unknown, the widespread use of containerization technologies makes this a significant threat, particularly for organizations relying on Linux-based container environments and cloud infrastructures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNamespace Manipulation Using Unshare\u003c/code\u003e to your SIEM to detect suspicious \u003ccode\u003eunshare\u003c/code\u003e command executions and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditbeat or Elastic Defend to collect the necessary process execution data to trigger the provided Sigma rule, as outlined in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule\u0026rsquo;s exclusion list based on your environment\u0026rsquo;s legitimate use cases for \u003ccode\u003eunshare\u003c/code\u003e, as described in the \u0026ldquo;False positive analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for unusual \u003ccode\u003eunshare\u003c/code\u003e usage patterns to enhance detection capabilities and prevent future occurrences as recommended in the \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-unshare-namespace-manipulation/","summary":"The `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.","title":"Suspicious Unshare Usage for Namespace Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-unshare-namespace-manipulation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend for Containers"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","container-escape","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe \u003ccode\u003eunshare\u003c/code\u003e command in Linux is used to create new namespaces, isolating processes from the rest of the system. This isolation is crucial for containerization and security. However, attackers can exploit \u003ccode\u003eunshare\u003c/code\u003e to break out of containers or elevate privileges by creating namespaces that bypass security controls. This activity has been observed in containerized environments where threat actors attempt to gain unauthorized access to the host system or escalate their privileges within the container. The detection rule identifies suspicious \u003ccode\u003eunshare\u003c/code\u003e executions by monitoring process starts, filtering out benign parent processes, and focusing on unusual usage patterns, thus highlighting potential misuse. The rule covers activity starting from Elastic Defend for Containers version 9.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA containerized process is compromised, potentially through an initial exploit or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eunshare\u003c/code\u003e command within the container.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eunshare\u003c/code\u003e is used to create new namespaces, isolating the attacker\u0026rsquo;s process from the container\u0026rsquo;s limitations.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates these namespaces to gain access to resources outside the container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escape the container by leveraging the newly created namespaces.\u003c/li\u003e\n\u003cli\u003eUpon successful escape, the attacker gains access to the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on the host, potentially exploiting vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the host system, allowing for data exfiltration, system compromise, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to container escape, allowing attackers to gain unauthorized access to the host system. This can result in privilege escalation, data exfiltration, and complete system compromise. The rule aims to detect and prevent such attacks by identifying suspicious usage of the \u003ccode\u003eunshare\u003c/code\u003e command, helping to maintain the integrity and security of containerized environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eunshare\u003c/code\u003e executions within containers and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of \u003ccode\u003eunshare\u003c/code\u003e by system management tools like \u003ccode\u003eudevadm\u003c/code\u003e and \u003ccode\u003esystemd-udevd\u003c/code\u003e to reduce false positives, as mentioned in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for unusual \u003ccode\u003eunshare\u003c/code\u003e usage patterns to enhance detection capabilities and prevent future occurrences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-unshare-container-escape/","summary":"The rule identifies suspicious usage of unshare to manipulate system namespaces, which can be utilized to escalate privileges or escape container security boundaries.","title":"Suspicious Unshare Usage for Container Escape and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unshare-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","kubeletctl","container","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe kubeletctl tool simplifies access to Kubelet endpoints, potentially allowing attackers to perform discovery and lateral movement within Kubernetes environments. The tool can be used to enumerate pods and nodes, and attempt actions such as exec/attach/portForward. Attackers may run \u003ccode\u003ekubeletctl scan\u003c/code\u003e to find reachable Kubelet endpoints, then use \u003ccode\u003epods\u003c/code\u003e or \u003ccode\u003eexec/attach\u003c/code\u003e for follow-on access. This activity is typically observed on Linux hosts within containerized environments. Defenders should monitor for the execution of kubeletctl with suspicious arguments or connections to Kubelet ports (commonly 10250/10255).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a compromised host within the Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eAttacker downloads or transfers the \u003ccode\u003ekubeletctl\u003c/code\u003e binary to the compromised host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003ekubeletctl scan\u003c/code\u003e to identify accessible Kubelet API endpoints by scanning for open ports 10250 and 10255.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubeletctl pods\u003c/code\u003e to enumerate running pods on a targeted node based on the scan results.\u003c/li\u003e\n\u003cli\u003eAttacker leverages \u003ccode\u003ekubeletctl exec\u003c/code\u003e or \u003ccode\u003ekubeletctl attach\u003c/code\u003e to gain shell access to a pod.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised pod to move laterally within the Kubernetes cluster, potentially accessing sensitive data or resources.\u003c/li\u003e\n\u003cli\u003eAttacker may attempt to access Kubernetes credentials, such as service account tokens or kubeconfigs, for further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to enumerate pods and nodes, execute commands within containers, and potentially move laterally within the Kubernetes cluster. This could lead to unauthorized access to sensitive data, resource hijacking, or complete compromise of the Kubernetes environment. The CyberArk research cited in the references describes how kubeletctl can be leveraged to attack Kubernetes clusters.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Kubeletctl Execution\u003c/code\u003e to detect suspicious execution of the \u003ccode\u003ekubeletctl\u003c/code\u003e binary on Linux hosts, focusing on command-line arguments such as \u003ccode\u003escan\u003c/code\u003e, \u003ccode\u003epods\u003c/code\u003e, \u003ccode\u003eexec\u003c/code\u003e, and \u003ccode\u003eattach\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor host and container telemetry for connections to Kubelet ports (10250/10255) using a network connection rule and look for scanning patterns across multiple nodes.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization based on the recommendations in the provided references.\u003c/li\u003e\n\u003cli\u003eRotate/revoke any exposed Kubernetes credentials (service account tokens, kubeconfigs, client certs) and investigate for follow-on discovery or execution attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubeletctl-execution/","summary":"This rule detects the execution of kubeletctl, a command-line tool used to interact with the Kubelet API, on Linux hosts, potentially leading to discovery and lateral movement within Kubernetes environments.","title":"Potential Kubeletctl Execution on Linux Hosts","url":"https://feed.craftedsignal.io/briefs/2024-01-kubeletctl-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ensenter\u003c/code\u003e within a Linux container, specifically when the \u003ccode\u003e-t\u003c/code\u003e or \u003ccode\u003e--target\u003c/code\u003e flag is used. This flag indicates an attempt to enter another process or namespace context. Attackers can exploit this capability, especially when combined with privileged mounts, exposed PIDs, or shared namespaces, to escape the container and pivot to the host system. This activity can lead to privilege escalation and further compromise of the underlying infrastructure. The detection is relevant for environments using Elastic Defend for Containers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through exploiting a vulnerability in a containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a container with weak configurations, such as exposed PIDs, shared namespaces, or privileged mounts.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ensenter\u003c/code\u003e with the \u003ccode\u003e-t\u003c/code\u003e or \u003ccode\u003e--target\u003c/code\u003e flag, specifying a target PID or namespace.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ensenter\u003c/code\u003e command joins the target namespace (mount, network, PID, user, or IPC) based on specified flags (\u003ccode\u003e-m\u003c/code\u003e, \u003ccode\u003e-n\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e-U\u003c/code\u003e, or \u003ccode\u003e-i\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the host system\u0026rsquo;s resources or processes due to the namespace sharing or privileged access.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on the host system, potentially gaining root access.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other containers or the host infrastructure, expanding their control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, system disruption, or deploying malware on the host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can allow an attacker to compromise the underlying host system. This can lead to the compromise of other containers running on the same host, as well as sensitive data stored on the host system. The impact can range from data breaches to complete infrastructure takeover. If the host is a node in a Kubernetes cluster, the attacker might be able to compromise the entire cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Nsenter Container Escape\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious \u003ccode\u003ensenter\u003c/code\u003e executions within containers.\u003c/li\u003e\n\u003cli\u003eReview container configurations and enforce least privilege to prevent unauthorized namespace sharing and privileged mounts.\u003c/li\u003e\n\u003cli\u003eMonitor container logs for \u003ccode\u003ensenter\u003c/code\u003e executions with target flags, as indicated by the log source \u003ccode\u003elogs-cloud_defend.process*\u003c/code\u003e and the query in this brief.\u003c/li\u003e\n\u003cli\u003eRestrict the use of hostPath volumes and other sensitive mounts within container deployments.\u003c/li\u003e\n\u003cli\u003eReduce recurrence by avoiding host namespace sharing, restricting hostPath and sensitive mounts, and blocking unnecessary capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-nsenter-container-escape/","summary":"The rule detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or --target), which can be abused to escape container isolation.","title":"Nsenter Execution with Target Flag Inside Container","url":"https://feed.craftedsignal.io/briefs/2024-01-nsenter-container-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Linux","version":"https://jsonfeed.org/version/1.1"}