leviathan
312e7d89b5
Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more matches to the verified_on table for a total of 22 modules confirmed against real Linux VMs: af_unix_gc ubuntu2204 + mainline 5.15.5 match nf_tables ubuntu2204 + mainline 5.15.5 match nft_set_uaf ubuntu2204 + mainline 5.15.5 match stackrot ubuntu2204 + mainline 6.1.10 match Mechanism: tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell provisioner. Fetches the directory index at https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4 canonical .deb filenames (linux-headers _all, linux-headers -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' + 'update-grub', and prints a reboot hint. Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so update-grub puts it at the top of the boot menu and the next 'vagrant reload' lands on it automatically. uname then reports '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our kernel_range table's vulnerable window → empirical VULNERABLE. tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to the Vagrantfile. Reload trigger now also fires when uname doesn't match the mainline target. tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4 PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and 6.1.10 (Feb 2023) for stackrot — both below every relevant backport. Final sweep status (22 of 26 CVEs): ✓ MATCHES (22): pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy, nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid, sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet, pack2theroot, cls_route4, nft_payload, af_packet2, sequoia, dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot 🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale): vmwgfx — VMware-guest only; no public Vagrant box covers it dirtydecrypt — needs Linux 7.0; not shipping as any distro kernel fragnesia — needs Linux 7.0; same dirty_cow — needs ≤ 4.4 kernel; older than every supported Vagrant box (would need a custom image) copy_fail_family entries verified indirectly via the shared infrastructure tests in the kernel_range unit-test harness. The 22 records are baked into core/verifications.c and surface in --list (VFY ✓ column), --module-info (--- verified on --- section), --explain (VERIFIED ON section), and JSON output (verified_on array). 22/26 CVEs is the new trust signal; with the mainline fetch path production-ready, additional pin targets can be added to targets.yaml without code changes.
223 lines
10 KiB
YAML
223 lines
10 KiB
YAML
# tools/verify-vm/targets.yaml — VM verification targets per module
|
|
#
|
|
# For each module, the (box, kernel) pair the verifier should spin up to
|
|
# empirically confirm detect() + exploit() against a KNOWN-VULNERABLE
|
|
# kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE
|
|
# archives — every version below is fetch-able as a .deb package.
|
|
#
|
|
# Schema:
|
|
# <module_name>:
|
|
# box: vagrant box name (matches tools/verify-vm/boxes/<NAME>/)
|
|
# kernel_pkg: apt package name to install for the vulnerable kernel
|
|
# (omit / empty if the stock distro kernel is already vulnerable)
|
|
# kernel_version: expected /proc/version-style major.minor.patch
|
|
# expect_detect: what skeletonkey --explain should say on a confirmed-vulnerable
|
|
# target. One of: VULNERABLE | OK | PRECOND_FAIL.
|
|
# notes: short rationale for the target choice.
|
|
#
|
|
# Boxes available (matches tools/verify-vm/boxes/):
|
|
# debian11 — Debian 11 bullseye (5.10.0 stock)
|
|
# debian12 — Debian 12 bookworm (6.1.0 stock)
|
|
# ubuntu1804 — Ubuntu 18.04 LTS (4.15.0 stock; HWE up to 5.4)
|
|
# ubuntu2004 — Ubuntu 20.04 LTS (5.4.0 stock; HWE up to 5.15)
|
|
# ubuntu2204 — Ubuntu 22.04 LTS (5.15.0 stock; HWE up to 6.5)
|
|
#
|
|
# Adding a new target: pick the oldest LTS box whose stock or HWE kernel
|
|
# is below the module's kernel_range fix threshold; if no LTS works,
|
|
# install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org
|
|
# via the kernel_pkg field.
|
|
#
|
|
# Modules where no fully-automatic vulnerable target exists (need manual
|
|
# kernel build or a special distro variant) are marked manual: true with
|
|
# a comment explaining the constraint.
|
|
|
|
af_packet:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # stock 4.15.0-213-generic — patch backported
|
|
kernel_version: "4.15.0"
|
|
expect_detect: OK
|
|
notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
|
|
|
|
af_packet2:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.4.0-26-generic
|
|
kernel_version: "5.4.0-26"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix."
|
|
|
|
af_unix_gc:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
cgroup_release_agent:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 stock is pre-fix (fix 5.17)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below."
|
|
|
|
cls_route4:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.15.0-43-generic
|
|
kernel_version: "5.15.0-43"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below."
|
|
|
|
dirty_cow:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # 4.15.0 has the COW race fix; need older kernel
|
|
kernel_version: "4.4.0"
|
|
expect_detect: OK
|
|
notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
|
|
manual_for_exploit_verify: true
|
|
|
|
dirty_pipe:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # 22.04 stock 5.15.0-91-generic
|
|
kernel_version: "5.15.0"
|
|
expect_detect: OK
|
|
notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
|
|
|
|
dirtydecrypt:
|
|
box: debian12
|
|
kernel_pkg: "" # only Linux 7.0+ has the bug — needs custom kernel
|
|
kernel_version: "7.0.0"
|
|
expect_detect: OK
|
|
notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel."
|
|
manual_for_exploit_verify: true
|
|
|
|
entrybleed:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # any KPTI-enabled x86_64 kernel
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
|
|
|
|
fragnesia:
|
|
box: debian12
|
|
kernel_pkg: ""
|
|
kernel_version: "7.0.0"
|
|
expect_detect: OK
|
|
notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK."
|
|
manual_for_exploit_verify: true
|
|
|
|
fuse_legacy:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 is pre-fix (fix 5.16)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below."
|
|
|
|
netfilter_xtcompat:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46)
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport."
|
|
|
|
nf_tables:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5"
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
nft_fwd_dup:
|
|
box: debian11
|
|
kernel_pkg: "" # 5.10.0 below the 5.10.103 backport
|
|
kernel_version: "5.10.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below."
|
|
|
|
nft_payload:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.15.0-43-generic
|
|
kernel_version: "5.15.0-43"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below."
|
|
|
|
nft_set_uaf:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "5.15.5"
|
|
kernel_version: "5.15.5"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
|
|
|
|
overlayfs:
|
|
box: ubuntu2004
|
|
kernel_pkg: "" # Ubuntu-specific bug; stock 5.4 is pre-fix
|
|
kernel_version: "5.4.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package."
|
|
|
|
overlayfs_setuid:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # 5.15.0 stock is pre-fix (5.15.110 backport)
|
|
kernel_version: "5.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below."
|
|
|
|
pack2theroot:
|
|
box: debian12
|
|
kernel_pkg: "" # PackageKit-version bug, not kernel
|
|
kernel_version: "6.1.0"
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
|
|
|
|
ptrace_traceme:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # 4.15.0 stock is below the 5.1.17 fix
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below."
|
|
|
|
pwnkit:
|
|
box: ubuntu2004
|
|
kernel_pkg: "" # polkit 0.105 ships in Ubuntu 20.04 → vulnerable
|
|
kernel_version: "5.4.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105."
|
|
|
|
sequoia:
|
|
box: ubuntu2004
|
|
kernel_pkg: linux-image-5.4.0-26-generic
|
|
kernel_version: "5.4.0-26"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below."
|
|
|
|
stackrot:
|
|
box: ubuntu2204
|
|
kernel_pkg: ""
|
|
mainline_version: "6.1.10" # below the 6.1.37 backport
|
|
kernel_version: "6.1.10"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/."
|
|
|
|
sudo_samedit:
|
|
box: ubuntu1804
|
|
kernel_pkg: "" # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1
|
|
kernel_version: "4.15.0"
|
|
expect_detect: VULNERABLE
|
|
notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2."
|
|
|
|
sudoedit_editor:
|
|
box: ubuntu2204
|
|
kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
|
|
kernel_version: "5.15.0"
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
|
|
|
|
vmwgfx:
|
|
box: "" # vmware-guest only; no useful Vagrant box
|
|
kernel_pkg: ""
|
|
kernel_version: ""
|
|
expect_detect: PRECOND_FAIL
|
|
notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
|
|
manual: true
|