Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kots/1.112.0 package update #24061

Merged
merged 1 commit into from
Jul 16, 2024
Merged

kots/1.112.0 package update #24061

merged 1 commit into from
Jul 16, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 16, 2024

@wolfi-bot
kots/1.112.0 package update
0a80626 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr P1 This issue is very important and will be addressed within the team planning window. labels Jul 16, 2024
@github-actions GitHub Actions
Copy link
Contributor

Package kots: Click to expand/collapse

Package kots:
Modified: /usr/bin/kots
Modified: /usr/bin/kotsadm

Package kots-symlink-compat: Click to expand/collapse

Package kots-symlink-compat:
Unchanged

bincapz found differences: Click to expand/collapse

Moved: kots/var/lib/db/sbom/kots-1.111.0-r1.spdx.json -> /tmp/wolfictl-apk-3771103074/kots/var/lib/db/sbom/kots-1.112.0-r0.spdx.json (similarity: 0.97)

Changed: /tmp/wolfictl-apk-3771103074/kots/usr/bin/kots [🔥 HIGH → 🚨 CRITICAL]

12 new behaviors

RISK KEY DESCRIPTION EVIDENCE
+CRITICAL evasion/base64/php_functions References multiple PHP functions in base64 form <?php::$php
BcnJhe::$f_Array
FycmF5::$f_Array
NvdW50::$f_count
QXJyYX::$f_Array
Y291bn::$f_count
ZXhlY::$f_exec
base64_decode
c3lzdGVt::$f_system
leGVj::$f_exec
zeXN0ZW::$f_system
+HIGH combo/stealer/creds suspected data stealer Atomic
Bitcoin
Bookmarks
Chrome
Chromium
Firefox
History
Snowflake
+MEDIUM 3P/threat_hunting/checkplease references 'CheckPlease' tool, by mthcht check_allstorage: %s: ifMetagenerationNotMatch not supported%s Error while retrieving OAuth token: Code Expiredelasticfilesystem-fips.ap-northeast-1.amazonaws.comelasticfilesystem-fips.ap-northeast-2.amazonaws.comelasticfilesystem-fips.ap-northeast-3.amazonaws.comelasticfilesystem-fips.ap-southeast-1.amazonaws.comelasticfilesystem-fips.ap-southeast-2.amazonaws.comelasticfilesystem-fips.ap-southeast-3.amazonaws.comelasticfilesystem-fips.ap-southeast-4.amazonaws.comredshift-serverless-fips.ca-central-1.amazon
+MEDIUM 3P/threat_hunting/ldeep references 'ldeep' tool, by mthcht lDeep
+MEDIUM ref/words/collection Uses terms that reference data collection CollectData
+MEDIUM ref/words/leetspeak References 1337 terminology' 1337
+MEDIUM secrets/aws access AWS configuration files and/or keys .aws
+LOW env/get Retrieve environment variable values env.API
env.BUILD
env.KOTSADM
env.NODE
env.REACT
env.SNAP
env.VSCODE
+LOW fd/read reads from a file handle Ie(t.read()
We(t.read()
__await(reader.read()
_readableState.read()
_source.read()
engine.read()
i(t.read()
n.read()
o(e.read()
ondata(stream.read()
snapshot.read()
tokenizer.read()
+LOW fd/write writes to a file handle decoder.write(chunk)
decoder.write(i)
decoder.write(t)
dest.write(chunk)
e.write(t)
pipeTo.write(data)
pipeTo.write(t)
sink.write(buffer)
this.write(buf)
this.write(e)
+LOW service/start service start service at start
+LOW techniques/brute_force May use bruteforce to function brute force

2 removed behaviors

RISK KEY DESCRIPTION EVIDENCE
-MEDIUM shell/exec executes shell /bin/bash
/bin/sh -ce "minio -C
-LOW process/chdir changes working directory cd

Changed: /tmp/wolfictl-apk-3771103074/kots/usr/bin/kotsadm

2 new behaviors

RISK KEY DESCRIPTION EVIDENCE
+MEDIUM net/bpf BPF (Berkeley Packet Filter) bpf
+LOW ref/site/url/unusual Contains HTTP hostname with a long node name https://trailerspageSizesequencefilenamedisabledoverlaysrenderednodeNameListApps/

Changed: /tmp/wolfictl-apk-3771103074/kots-symlink-compat/var/lib/db/sbom/kots-symlink-compat-1.112.0-r0.spdx.json

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Jul 16, 2024

bincapz detected files with a risk score equal or higher than 'CRITICAL': Click to expand/collapse

/tmp/bincapz19081780/packages/x86_64/kots-1.112.0-r0.apk/usr/bin/kots [🚨 CRITICAL]

RISK KEY DESCRIPTION EVIDENCE
HIGH combo/dropper/shell fetches content and pipes it to a shell [curl https://kots.io/install
HIGH combo/stealer/creds suspected data stealer Atomic
Bitcoin
Bookmarks
Chrome
Chromium
Firefox
History
Snowflake
CRITICAL evasion/base64/php_functions References multiple PHP functions in base64 form <?php::$php
BcnJhe::$f_Array
FycmF5::$f_Array
NvdW50::$f_count
QXJyYX::$f_Array
Y291bn::$f_count
ZXhlY::$f_exec
base64_decode
c3lzdGVt::$f_system
leGVj::$f_exec
zeXN0ZW::$f_system
HIGH evasion/rename_system_binary Renames system binary cp /usr/bin/mc
HIGH ref/path/dev/shm reference file within /dev/shm (world writeable) /dev/shm/aufs.xinovfs

/tmp/bincapz19081780/packages/x86_64/kots-1.112.0-r0.apk/usr/bin/kotsadm [🚨 CRITICAL]

RISK KEY DESCRIPTION EVIDENCE
HIGH combo/dropper/shell fetches content and pipes it to a shell [curl https://krew.sh/preflight
HIGH combo/recon/upload_netinfo Has a user agent and collects network info /proc/net/route
User-Agent
HIGH combo/stealer/creds suspected data stealer Atomic
Bitcoin
Bookmarks
Chrome
Chromium
Firefox
History
Snowflake
CRITICAL evasion/base64/php_functions References multiple PHP functions in base64 form <?php::$php
BcnJhe::$f_Array
FycmF5::$f_Array
NvdW50::$f_count
QXJyYX::$f_Array
Y291bn::$f_count
ZXhlY::$f_exec
base64_decode
c3lzdGVt::$f_system
leGVj::$f_exec
zeXN0ZW::$f_system
HIGH evasion/rename_system_binary Renames system binary cp /usr/bin/mc
HIGH ref/path/dev/shm reference file within /dev/shm (world writeable) /dev/shm/aufs.xinovfs

@rawlingsj
Copy link
Member

bincapz critical is a FP as kops does not use PHP

@rawlingsj rawlingsj merged commit af8bbf0 into main Jul 16, 2024
8 checks passed
@rawlingsj rawlingsj deleted the wolfictl-d77461e3-8cca-4013-bbb3-0ce869498f4b branch July 16, 2024 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rawlingsj rawlingsj rawlingsj approved these changes

Assignees
No one assigned
Labels
automated pr bincapz/blocking P1 This issue is very important and will be addressed within the team planning window. request-version-update request for a newer version of a package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rawlingsj @wolfi-bot