leviathan
fa0228df9b
build / build (clang / debug) (push) Waiting to run
build / build (clang / default) (push) Waiting to run
build / build (gcc / debug) (push) Waiting to run
build / build (gcc / default) (push) Waiting to run
build / sanitizers (ASan + UBSan) (push) Waiting to run
build / clang-tidy (push) Waiting to run
build / drift-check (CISA KEV + Debian tracker) (push) Waiting to run
build / static-build (push) Waiting to run
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
CVE metadata refresh:
- Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module
CVEs. Two are CISA-KEV-listed:
- CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190)
- CVE-2025-32463 sudo_chwoot (2025-09-29, CWE-829)
- Populated via direct curl when refresh-cve-metadata.py's Python urlopen
hung on CISA's HTTP/2 endpoint for ~55 min — same data, different
transport.
dirtydecrypt module bug fix:
- dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0
- Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable
through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0
- Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23}
- Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline
6.19.7 instead of OK. Previously a false negative on real vulnerable
kernels.
Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count
stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match
(was OK match).
287 lines
16 KiB
YAML
287 lines
16 KiB
YAML
# tools/verify-vm/targets.yaml — VM verification targets per module
|
|
#
|
|
# For each module, the (box, kernel) pair the verifier should spin up to
|
|
# empirically confirm detect() + exploit() against a KNOWN-VULNERABLE
|
|
# kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE
|
|
# archives — every version below is fetch-able as a .deb package.
|
|
#
|
|
# Schema:
|
|
# <module_name>:
|
|
# box: vagrant box name (matches tools/verify-vm/boxes/<NAME>/)
|
|
# kernel_pkg: apt package name to install for the vulnerable kernel
|
|
# (omit / empty if the stock distro kernel is already vulnerable)
|
|
# kernel_version: expected /proc/version-style major.minor.patch
|
|
# expect_detect: what skeletonkey --explain should say on a confirmed-vulnerable
|
|
# target. One of: VULNERABLE | OK | PRECOND_FAIL.
|
|
# notes: short rationale for the target choice.
|
|
#
|
|
# Boxes available (matches tools/verify-vm/boxes/):
|
|
# debian11 — Debian 11 bullseye (5.10.0 stock)
|
|
# debian12 — Debian 12 bookworm (6.1.0 stock)
|
|
# ubuntu1804 — Ubuntu 18.04 LTS (4.15.0 stock; HWE up to 5.4)
|
|
# ubuntu2004 — Ubuntu 20.04 LTS (5.4.0 stock; HWE up to 5.15)
|
|
# ubuntu2204 — Ubuntu 22.04 LTS (5.15.0 stock; HWE up to 6.5)
|
|
#
|
|
# Adding a new target: pick the oldest LTS box whose stock or HWE kernel
|
|
# is below the module's kernel_range fix threshold; if no LTS works,
|
|
# install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org
|
|
# via the kernel_pkg field.
|
|
#
|
|
# Modules where no fully-automatic vulnerable target exists (need manual
|
|
# kernel build or a special distro variant) are marked manual: true with
|
|
# a comment explaining the constraint.
|
|
|
|
af_packet:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # stock 4.15.0-213-generic — patch backported
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
|
|
|
|
af_packet2:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.4.0-26-generic
|
|
kernel_version: "5.4.0-26"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix."
|
|
|
|
af_unix_gc:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
cgroup_release_agent:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 stock is pre-fix (fix 5.17)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below."
|
|
|
|
cls_route4:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.15.0-43-generic
|
|
kernel_version: "5.15.0-43"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below."
|
|
|
|
dirty_cow:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # 4.15.0 has the COW race fix; need older kernel
|
|
kernel_version: "4.4.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
|
|
manual_for_exploit_verify: true
|
|
|
|
dirty_pipe:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # 22.04 stock 5.15.0-91-generic
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
|
|
|
|
dirtydecrypt:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "6.19.7" # below the 6.19.13 backport → genuinely vulnerable
|
|
kernel_version: "6.19.7"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2026-31635; rxgk RESPONSE oversized auth_len. Per NVD: bug entered at 6.16.1, vulnerable through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 stable. Mainline 6.19.7 is below the .13 backport → genuinely VULNERABLE. (Earlier module code wrongly gated 'predates' on 7.0; fixed in this commit by gating on 6.16.1 + adding 6.18.23 to the backport table.)"
|
|
|
|
entrybleed:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # any KPTI-enabled x86_64 kernel
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
|
|
|
|
fragnesia:
|
|
box: ""
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: ""
|
|
manual: true
|
|
notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Fix lands at 7.0.9. Verifying VULNERABLE needs a pre-fix 7.0.x kernel. Mainline 7.0.5 was tried via Ubuntu 22.04 + kernel.ubuntu.com — fails because the 7.0.5 kernel .debs depend on the t64-transition libs (libssl3t64, libelf1t64) which only exist on Ubuntu 24.04+ / Debian 13+. No Vagrant box with Parallels provider has those libs yet. dpkg --force-depends leaves the kernel image in iHR (broken) state with no /boot/vmlinuz deposited. Resolution: wait for a Parallels-supported ubuntu2404 / debian13 box, or build one locally."
|
|
|
|
fuse_legacy:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 is pre-fix (fix 5.16)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below."
|
|
|
|
netfilter_xtcompat:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport."
|
|
|
|
nf_tables:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5"
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
nft_fwd_dup:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 below the 5.10.103 backport
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below."
|
|
|
|
nft_payload:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.15.0-43-generic
|
|
kernel_version: "5.15.0-43"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below."
|
|
|
|
nft_set_uaf:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5"
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
overlayfs:
|
|
box: ubuntu2004
|
|
kernel_pkg: "" # Ubuntu-specific bug; stock 5.4 is pre-fix
|
|
kernel_version: "5.4.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package."
|
|
|
|
overlayfs_setuid:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # 5.15.0 stock is pre-fix (5.15.110 backport)
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below."
|
|
|
|
pack2theroot:
|
|
box: debian12
|
|
kernel_pkg: "" # PackageKit-version bug, not kernel
|
|
kernel_version: "6.1.0"
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
|
|
|
|
ptrace_traceme:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # 4.15.0 stock is below the 5.1.17 fix
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below."
|
|
|
|
pwnkit:
|
|
box: ubuntu2004
|
|
kernel_pkg: "" # polkit 0.105 ships in Ubuntu 20.04 → vulnerable
|
|
kernel_version: "5.4.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105."
|
|
|
|
sequoia:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.4.0-26-generic
|
|
kernel_version: "5.4.0-26"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below."
|
|
|
|
stackrot:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "6.1.10" # below the 6.1.37 backport
|
|
kernel_version: "6.1.10"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/."
|
|
|
|
sudo_samedit:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2."
|
|
|
|
sudoedit_editor:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
|
|
kernel_version: "5.15.0"
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
|
|
|
|
vmwgfx:
|
|
box: "" # vmware-guest only; no useful Vagrant box
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
|
|
manual: true
|
|
|
|
# ── v0.8.0 additions ──────────────────────────────────────────────
|
|
|
|
sudo_chwoot:
|
|
box: ubuntu2204 # 22.04 ships sudo 1.9.9 — provisioner builds 1.9.16p1 over it
|
|
kernel_pkg: "" # this bug is sudo-version-gated, not kernel
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. provisioners/sudo_chwoot.sh builds sudo 1.9.16p1 from upstream sources into /usr/local/bin (which precedes /usr/bin in PATH so plain `sudo` resolves to the vulnerable binary)."
|
|
|
|
udisks_libblockdev:
|
|
box: debian12 # 12 ships udisks2 2.10.x + libblockdev 3.0.x — vulnerable
|
|
kernel_pkg: ""
|
|
kernel_version: "6.1.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. provisioners/udisks_libblockdev.sh installs udisks2 + libblockdev-utils3 and drops a polkit rule allowing the vagrant user to invoke loop-setup/filesystem-mount — simulating the trust polkit would give a logged-in workstation user (the real-world bug-path). Without that rule, the SSH session is not 'active' per polkit and the D-Bus call short-circuits."
|
|
|
|
pintheft:
|
|
box: "" # RDS is blacklisted on every common Vagrant box's stock kernel
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2026-43494; PinTheft. Among Vagrant-supported distros, NONE autoload the rds kernel module (Arch Linux is the only common distro that does, and there's no maintained generic/arch-linux Vagrant box). On Debian/Ubuntu/Fedora boxes the AF_RDS socket() call fails with EAFNOSUPPORT → detect correctly returns OK ('bug exists in kernel but unreachable from userland here'). Verifying the VULNERABLE path needs either an Arch box, or a custom box with the rds module pre-loaded ('modprobe rds && modprobe rds_tcp'). Deferred."
|
|
manual: true
|
|
|
|
# ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ──────
|
|
|
|
mutagen_astronomy:
|
|
box: ""
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: ""
|
|
manual: true
|
|
notes: "CVE-2018-14634; Qualys Mutagen Astronomy. No good Vagrant verification environment: stock Ubuntu 18.04 (4.15.0-213) returns detect()=VULNERABLE because the module's kernel_range table has no entry for the 4.15.x series (Ubuntu's HWE backports are not modeled), but the kernel IS actually patched — false-positive of the conservative module logic. Mainline 4.14.70 (target VULNERABLE kernel) panics on Ubuntu 18.04's rootfs with 'Failed to execute /init (error -8)' — kernel config mismatch (binfmt_elf as module rather than baked-in). Genuinely vulnerable verification needs a contemporary CentOS 6 / Debian 7 image with original-vintage kernel; deferred to custom-box workflow."
|
|
|
|
sudo_runas_neg1:
|
|
box: ubuntu1804 # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix)
|
|
kernel_pkg: ""
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 (vulnerable). provisioners/sudo_runas_neg1.sh adds 'vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi' to /etc/sudoers.d/ so find_runas_blacklist_grant() has a grant to abuse."
|
|
|
|
tioscpgrp:
|
|
box: ubuntu2004 # 5.4 stock kernels (5.4.0-26) are below the 5.4.85 backport
|
|
kernel_pkg: linux-image-5.4.0-26-generic
|
|
kernel_version: "5.4.0-26"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2020-29661; TTY TIOCSPGRP UAF race. Stock Ubuntu 20.04 5.4.0-26 is below the 5.4.85 LTS backport. /dev/ptmx is universally writable in CI containers. Should validate VULNERABLE."
|
|
|
|
vsock_uaf:
|
|
box: "" # vsock module typically not loaded on CI containers (no virtualization)
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2024-50264; Pwn2Own 2024 vsock UAF. AF_VSOCK requires the vsock kernel module, which autoloads only on KVM/QEMU GUESTS. Vagrant VMs running under Parallels are themselves guests, but their guest kernel may or may not have vsock loaded depending on the Parallels host. detect correctly returns OK when AF_VSOCK is unavailable. To validate VULNERABLE, ensure the VM kernel has CONFIG_VSOCKETS + virtio-vsock loaded ('modprobe vsock_loopback' may suffice on newer kernels)."
|
|
manual: true
|
|
|
|
nft_pipapo:
|
|
box: ubuntu2204 # 5.15 stock + HWE — same pipapo set substrate as nf_tables
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5"
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same mainline 5.15.5 target as nf_tables works here — 5.15.5 is below the 5.15.149 backport. (Switched from apt-pinned 5.15.0-43 after that package was removed from Ubuntu repos.) Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."
|