Impact
What kind of vulnerability is it? Who is impacted?
A TOCTOU issue has been identified in Falco that could lead to rule bypass.
When handling events related to the system calls connect, open, openat and creat, Falco retrieves some of the arguments by reading userspace buffers upon syscall exit. An attacker running a malicious program on a Falco monitored system could use a variety of techniques to deterministically increase the duration of the syscall execution and modify the arguments in its own address space after the syscall has been invoked and before its execution is complete. Falco will then assume that the modified data is the input argument of the syscall which may lead to rule bypass.
For instance, two concrete cases have been identified and demonstrated:
- A malicious C&C server could be designed to perform a slow TCP handshake upon client connection. A piece of malware running on a Falco monitored host or container could then initiate a connection to the C&C by issuing a
connect() syscall and then spawn a separate thread that modifies the buffers containing the remote address with a non suspicious address. Falco will then read the non suspicious address and would not fire any rule that would catch this event.
- A system that uses FUSE file systems can be subject to this attack if the file system access incurs additional IO delay such as network delay. One example is when accessing an SSH server accessed through SSHFS. A piece of malware, if it has enough permission to mount and/or access that remote file server, could connect to it, perform the attack and hide the accessed file name(s) in the same way as described above.
Users using Falco versions up to 0.31.1 with the kernel module, eBPF probe or userspace instrumentation support (such as the one employed in the https://github.com/falcosecurity/pdig example) are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
This problem has been addressed by
Users should upgrade to version 0.31.1 or later. The fix applies to all system call instrumentation mechanisms available including the kernel module, eBPF probe and userspace istrumentation where used.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
A version upgrade to 0.31.1 is needed.
References
Are there any links users can visit to find out more?
This vulnerability was initially reported by Xiaofei (Rex) Guo and Junyuan Zeng.
For more information
If you have any questions or comments about this advisory:
rexguowork Analyst
LucaGuerra Analyst
loresuso Analyst
jzeng4 Analyst
Impact
What kind of vulnerability is it? Who is impacted?
A TOCTOU issue has been identified in Falco that could lead to rule bypass.
When handling events related to the system calls
connect,open,openatandcreat, Falco retrieves some of the arguments by reading userspace buffers upon syscall exit. An attacker running a malicious program on a Falco monitored system could use a variety of techniques to deterministically increase the duration of the syscall execution and modify the arguments in its own address space after the syscall has been invoked and before its execution is complete. Falco will then assume that the modified data is the input argument of the syscall which may lead to rule bypass.For instance, two concrete cases have been identified and demonstrated:
connect()syscall and then spawn a separate thread that modifies the buffers containing the remote address with a non suspicious address. Falco will then read the non suspicious address and would not fire any rule that would catch this event.Users using Falco versions up to 0.31.1 with the kernel module, eBPF probe or userspace instrumentation support (such as the one employed in the https://github.com/falcosecurity/pdig example) are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
This problem has been addressed by
Users should upgrade to version 0.31.1 or later. The fix applies to all system call instrumentation mechanisms available including the kernel module, eBPF probe and userspace istrumentation where used.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
A version upgrade to 0.31.1 is needed.
References
Are there any links users can visit to find out more?
This vulnerability was initially reported by Xiaofei (Rex) Guo and Junyuan Zeng.
For more information
If you have any questions or comments about this advisory: