Commit aa518af

committed

Add ingress nightmare exploit detection signature

There is a new signature capable of detecting attempts to exploit the ingress nightmare vulnerability (CVE-2025-1974). It works by hooking the `security_inode_follow_link` hook and validates is a `nginx` process is trying to resolve any `FD`s in `/proc/<pid>/fd/`. The signature is far from perfect, as it is pretty specific to the ingress nightmare case, but it works reliable, as the ingress process should not resolve `FD` symlinks.

1 parent 07c144f commit aa518afCopy full SHA for aa518af

19 files changed

+1016

-1205

lines changed

api/v1
- kube
  - kube_api.pb.go
- runtime
cmd/agent/daemon
- daemon.go
pkg/ebpftracer
- c
  - headers
    - types.h
  - tracee.bpf.c
- decoder
  - args_decoder.go
- events
  - events.go
- events.go
- probes.go
- signature
  - ingress_nightmare_detected.go
  - signature_rules.go
- tracer_arm64_bpfel.go
- tracer_arm64_bpfel.o
- tracer_playground_test.go
- tracer_x86_bpfel.go
- tracer_x86_bpfel.o
- types
  - args.go

19 files changed

+1016

-1205

lines changed

`‎api/v1/kube/kube_api.pb.go`

Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Comments

(0)