{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/chainguard/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko","go/chainguard.dev/apko"],"_cs_severities":["high"],"_cs_tags":["package-substitution","supply-chain","linux"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eApko, a tool for building container images, is susceptible to a critical package substitution vulnerability in versions prior to 1.2.7. The vulnerability stems from the tool\u0026rsquo;s failure to validate downloaded \u003ccode\u003e.apk\u003c/code\u003e packages against the checksums recorded in the signed \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e file. While Apko does verify the signature on the index and parses the checksums, it does not compare these checksums against the downloaded packages during the \u003ccode\u003egetPackageImpl()\u003c/code\u003e function. This oversight can allow an attacker with the ability to manipulate download responses, such as through compromised mirrors, HTTP repositories, or poisoned CDN caches, to inject malicious or unintended packages into the built container images. This issue was reported by Oleh Konko from 1seal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a mirror, HTTP repository, or poisons a CDN cache used by apko.\u003c/li\u003e\n\u003cli\u003eA user initiates an apko build process, specifying a package to be included in the image.\u003c/li\u003e\n\u003cli\u003eApko requests the specified package from the compromised source.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the legitimate package with a malicious or altered \u003ccode\u003e.apk\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eApko downloads the substituted package.\u003c/li\u003e\n\u003cli\u003eApko verifies the signature on \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e but fails to validate the downloaded \u003ccode\u003e.apk\u003c/code\u003e package against the checksum in the index.\u003c/li\u003e\n\u003cli\u003eApko installs the malicious or altered package into the container image.\u003c/li\u003e\n\u003cli\u003eThe resulting container image is built with the compromised package, potentially leading to arbitrary code execution or other malicious activity when the image is deployed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary packages into container images built with vulnerable versions of apko. This can lead to a variety of adverse outcomes, including arbitrary code execution within containers, data exfiltration, and denial-of-service attacks. The lack of package validation provides a significant opportunity for attackers to compromise the integrity of containerized applications and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to apko version 1.2.7 or later once a fix is available from the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected connections to untrusted or unusual package repositories using network connection logs and create rules to alert on such activity.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring on the build system to detect unauthorized modification of files, specifically focusing on downloaded packages. This can be achieved through file integrity monitoring tools that generate file_event logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process executions within containers shortly after the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-apko-package-substitution/","summary":"Apko versions prior to 1.2.7 are vulnerable to package substitution due to not verifying downloaded apk packages against the APKINDEX checksum, potentially allowing an attacker who can substitute download responses to install arbitrary packages into built images.","title":"Apko Package Substitution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-package-substitution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko (\u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","symlink","apko","vulnerability","CVE-2026-42574"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in apko\u0026rsquo;s \u003ccode\u003eDirFS\u003c/code\u003e component, specifically within the \u003ccode\u003esanitizePath\u003c/code\u003e helper function in versions prior to 1.2.5. The vulnerability allows a malicious \u003ccode\u003e.apk\u003c/code\u003e file to install a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry pointing outside the intended build root. Subsequent directory creation or file writing operations could then traverse this symbolic link, leading to unauthorized access and modification of files on the host system. This issue affects users of apko and downstream tools, such as melange, that embed vulnerable versions of the \u003ccode\u003epkg/apk/fs\u003c/code\u003e package. The vulnerability was addressed in apko version 1.2.5 with the introduction of \u003ccode\u003e*os.Root\u003c/code\u003e, which prevents path traversal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.apk\u003c/code\u003e file containing a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry.\u003c/li\u003e\n\u003cli\u003eThe symbolic link\u0026rsquo;s target is set to a path outside the intended build root, potentially targeting sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.apk\u003c/code\u003e is processed using a vulnerable version of apko (prior to 1.2.5) via commands like \u003ccode\u003eapko build-cpio\u003c/code\u003e or through disk-backed consumers such as \u003ccode\u003emelange\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring tar extraction, the vulnerable \u003ccode\u003esanitizePath\u003c/code\u003e function fails to properly resolve or refuse the malicious symlink.\u003c/li\u003e\n\u003cli\u003eA subsequent directory-creation or file-write operation is initiated within the same or a later archive entry.\u003c/li\u003e\n\u003cli\u003eThe file operation traverses the previously created symbolic link, gaining access to the file system location outside the intended build root.\u003c/li\u003e\n\u003cli\u003eThe attacker can then create directories or write files to the compromised location, potentially overwriting critical system files or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to privilege escalation and persistent compromise of the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the host system. This can lead to privilege escalation if the attacker can overwrite setuid binaries or modify system configuration files. It can also lead to persistent compromise of the system if the attacker injects malicious code into startup scripts or other system files. While the exact number of victims is unknown, any system running a vulnerable version of apko (prior to 1.2.5) or tools embedding vulnerable versions of \u003ccode\u003epkg/apk/fs\u003c/code\u003e, such as melange, is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade apko to version 1.2.5 or later. This version includes a fix that prevents path traversal vulnerabilities as described in the advisory and commit \u003ca href=\"https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442\"\u003ef5a96e1\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid consuming APKs from untrusted sources. However, note that this does not fully eliminate the risk.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories for unexpected activity, especially after processing \u003ccode\u003e.apk\u003c/code\u003e files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-apko-path-traversal/","summary":"A symlink-following path traversal vulnerability exists in apko versions prior to 1.2.5 allowing a malicious .apk file to create a symbolic link pointing outside the build root and subsequently modify files on the host system.","title":"Apko DirFS Symlink Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Chainguard","version":"https://jsonfeed.org/version/1.1"}