Detected by https://github.com/samokat-oss/pisc

[kapistka]

We need to come up with bypass =)

[r0binak]

@kapistka It's not really a big problem. If the attacker has the ability to prepare his own image, he can easily bypass these checks. I've done some simple tests and I'm ready to give a couple of examples:

• Bypass malicious compliance checks. All values are hardcoded. There are many ways how you can obfuscate a bash script/path. The simplest of them is using "?", "*" symbols. So you can use rm -rf /v*r/l*b/a*t/lists/* instead rm -rf /var/lib/apt/lists/* construction.

• What about malicious files detected by VirusTotal? All files that VirusTotal recognised as malicious are open source tools. In order for an executable file not to be detected by VT, it is enough to change only a byte. This in turn changes the hash and the malware is not recognised. An attacker can use a custom build of these tools.

• You can change creation date via manifest.json

[kapistka]

@r0binak Thanks for the reply)

1. Path obfuscation is a good point, but malicious compliance is not interesting for the attacker, because it bypasses only the vulnerability scanner. It is more interesting to bypass CVE-2024-21626.
2. To bypass virustotal, I would suggest using encryption, like here.
3. The creation date is not interesting for the attacker. This is used against the laziness of developers to download a more recent image.