Merge pull request #564 from kubescape/fix/c-0079

Fixing C-0079 to properly detect CVE-2022-0185 on azure
kubescape · Jan 23, 2024 · f6012e9 · f6012e9
2 parents 1a68f73 + bf27b26
commit f6012e9
Show file tree

Hide file tree

Showing 13 changed files with 2,988 additions and 7 deletions.
diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego
@@ -3,14 +3,11 @@ package armo_builtins
 deny[msga] {
 	node := input[_]
     node.kind == "Node"
-    kernel_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, node.status.nodeInfo.kernelVersion, -1)
-    kernelVersion := kernel_version_match[0][0]
 
-    kernel_version_arr := split(kernelVersion, ".")
-    to_number(kernel_version_arr[0]) == 5
-    to_number(kernel_version_arr[1]) >= 1
-    to_number(kernel_version_arr[1]) <= 16
-    to_number(kernel_version_arr[2]) < 2
+    parsed_kernel_version_arr := parse_kernel_version_to_array(node.status.nodeInfo.kernelVersion)
+    is_azure := parsed_kernel_version_arr[4] == "azure"
+
+    is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure)
 
     node.status.nodeInfo.operatingSystem == "linux"
     path := "status.nodeInfo.kernelVersion"
@@ -40,7 +37,36 @@ deny[msga] {
 	}
 }
 
+# General Kernel versions are between 5.1.1 and 5.16.2
+is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure) {
+    is_azure == false
+    parsed_kernel_version_arr[0] == 5
+    parsed_kernel_version_arr[1] >= 1
+    parsed_kernel_version_arr[1] <= 16
+    parsed_kernel_version_arr[2] < 2
+}
+
+# Azure kernel version with is 5.4.0-1067-azure
+is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure) {
+    is_azure == true
+    parsed_kernel_version_arr[0] == 5
+    parsed_kernel_version_arr[1] >= 1
+    parsed_kernel_version_arr[1] <= 4
+    parsed_kernel_version_arr[2] == 0
+    parsed_kernel_version_arr[3] < 1067
+}
+
 is_unprivileged_userns_clone_enabled(linux_kernel_var) {
 	linux_kernel_var.key == "unprivileged_userns_clone"
     linux_kernel_var.value == "1\n"
+}
+
+parse_kernel_version_to_array(kernel_version_str) = output {
+	version_triplet := regex.find_n(`(\d+\.\d+\.\d+)`, kernel_version_str,-1)
+    version_triplet_array := split(version_triplet[0],".")
+
+    build_vendor := regex.find_n(`-(\d+)-(\w+)`, kernel_version_str,-1)
+    build_vendor_array := split(build_vendor[0],"-")
+
+    output := [to_number(version_triplet_array[0]),to_number(version_triplet_array[1]),to_number(version_triplet_array[2]),to_number(build_vendor_array[1]),build_vendor_array[2]]
 }