25-05-2023 Cloud Native Computing Meetup Switzerland
Last updated
Last updated
$ trivy image ubuntu:latest
2023-03-22T10:41:57.265Z INFO Vulnerability scanning is enabled
2023-03-22T10:41:57.266Z INFO Secret scanning is enabled
2023-03-22T10:41:57.266Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-03-22T10:41:57.266Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-03-22T10:41:58.233Z INFO Detected OS: ubuntu
2023-03-22T10:41:58.233Z INFO Detecting Ubuntu vulnerabilities...
2023-03-22T10:41:58.236Z INFO Number of language-specific files: 0
ubuntu:latest (ubuntu 22.04)
Total: 12 (UNKNOWN: 0, LOW: 12, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bash │ CVE-2022-3715 │ LOW │ 5.1-6ubuntu1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ 8.32-4.1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ 2.2.27-3ubuntu2.1 │ │ gnupg: denial of service issue (resource consumption) using │
│ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2016-20013 │ │ 2.35-0ubuntu3.1 │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├──────────────┤ │ │ ├───────────────┤ │
│ libc6 │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libncurses6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┤ │ │ ├───────────────┤ │
│ libncursesw6 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre3 │ CVE-2017-11164 │ │ 2:8.39-13ubuntu0.22.04.1 │ │ pcre: OP_KETRMAX feature in the match function in │
│ │ │ │ │ │ pcre_exec.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-11164 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2022-3996 │ │ 3.0.2-0ubuntu1.8 │ │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libtinfo6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┤ │ │ ├───────────────┤ │
│ ncurses-base │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┤ │ │ ├───────────────┤ │
│ ncurses-bin │ │ │ │ │ │
│ │ │ │ │ │ │
└──────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘$ trivy image xxradar/ubuntu_infected:101
2023-03-22T10:35:38.998Z INFO Need to update DB
2023-03-22T10:35:38.999Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-03-22T10:35:38.999Z INFO Downloading DB...
36.14 MiB / 36.14 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3.91 MiB p/s 9.5s
2023-03-22T10:35:51.163Z INFO Vulnerability scanning is enabled
2023-03-22T10:35:51.170Z INFO Secret scanning is enabled
2023-03-22T10:35:51.171Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-03-22T10:35:51.173Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-03-22T10:35:52.602Z INFO Detected OS: ubuntu
2023-03-22T10:35:52.603Z INFO Detecting Ubuntu vulnerabilities...
2023-03-22T10:35:52.618Z INFO Number of language-specific files: 0
xxradar/ubuntu_infected:101 (ubuntu 22.04)
Total: 12 (UNKNOWN: 0, LOW: 12, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bash │ CVE-2022-3715 │ LOW │ 5.1-6ubuntu1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ 8.32-4.1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ 2.2.27-3ubuntu2.1 │ │ gnupg: denial of service issue (resource consumption) using │
│ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2016-20013 │ │ 2.35-0ubuntu3.1 │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├──────────────┤ │ │ ├───────────────┤ │
│ libc6 │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libncurses6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┤ │ │ ├───────────────┤ │
│ libncursesw6 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre3 │ CVE-2017-11164 │ │ 2:8.39-13ubuntu0.22.04.1 │ │ pcre: OP_KETRMAX feature in the match function in │
│ │ │ │ │ │ pcre_exec.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-11164 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2022-3996 │ │ 3.0.2-0ubuntu1.8 │ │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libtinfo6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┤ │ │ ├───────────────┤ │
│ ncurses-base │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┤ │ │ ├───────────────┤ │
│ ncurses-bin │ │ │ │ │ │
│ │ │ │ │ │ │
└──────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘$ trivy image node:latest | grep -i TOTAL
2023-03-22T10:39:20.994Z INFO Vulnerability scanning is enabled
2023-03-22T10:39:20.994Z INFO Secret scanning is enabled
2023-03-22T10:39:20.995Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-03-22T10:39:20.995Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-03-22T10:39:21.970Z INFO Detected OS: debian
2023-03-22T10:39:21.970Z INFO Detecting Debian vulnerabilities...
2023-03-22T10:39:22.175Z INFO Number of language-specific files: 1
2023-03-22T10:39:22.175Z INFO Detecting node-pkg vulnerabilities...
Total: 1019 (UNKNOWN: 1, LOW: 606, MEDIUM: 199, HIGH: 199, CRITICAL: 14)$ docker run -it --rm --name=deepfence-yarahunter \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp:/home/deepfence/output \
deepfenceio/yara-hunter:latest \
--image-name xxradar/ubuntu_infected:101 \
--json-filename=xmrig-scan.json
copied size 384
copied size 1032336
server inside23 port {0xc000451a28 0xc00040d3c0 0xc0004518c8 0xc00040d3d0 0xc00040d3e0 0xc00040d3f0 0xc00040d400 0xc00040d410 0xc00040d420 0xc00040d430 0xc0004518d8 0xc00040d440 0xc00040d450 0xc00040d460 0xc00040d470 0xc00040d480 0xc00040d3b0 0xc0004518b8}
INFO[2023-03-25 09:42:54] trying to connect to endpoint 'unix:///var/run/docker.sock' with timeout '10s'
INFO[2023-03-25 09:42:54] connected successfully using endpoint: unix:///var/run/docker.sock
INFO[2023-03-25 09:42:54] trying to connect to endpoint 'unix:///run/containerd/containerd.sock' with timeout '10s'
WARN[2023-03-25 09:43:04] could not connect to endpoint 'unix:///run/containerd/containerd.sock': context deadline exceeded
INFO[2023-03-25 09:43:04] trying to connect to endpoint 'unix:///run/k3s/containerd/containerd.sock' with timeout '10s'
WARN[2023-03-25 09:43:14] could not connect to endpoint 'unix:///run/k3s/containerd/containerd.sock': context deadline exceeded
INFO[2023-03-25 09:43:14] container runtime detected: docker
{
"Timestamp": "2023-03-25 09:43:21.724037583 +00:00",
"Image Name": "xxradar/ubuntu_infected:101",
"Image ID": "0f68bbdbb726cf17f17220e61a09ccf88ff0edfafbc97043378b6a2739352b56",
"Malware match detected are": [
{
"Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d",
"Matched Rule Name": "spyeye_plugins",
"Strings to match are": [
"config.dat"
],
"Category": ["banker"],
"File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/etc/debconf.conf",
"author":"Jean-Philippe Teissier / @Jipe_ ",
"description":"SpyEye X.Y Plugins memory ",
"date":"2012-05-23 ",
"version":"1.0 ",
"filetype":"memory ",
"Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/etc/debconf.conf has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y Plugins memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ."
}
,
{
"Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d",
"Matched Rule Name": "spyeye_plugins",
"Strings to match are": [
"config.dat"
],
"Category": ["banker"],
"File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/usr/share/debconf/debconf.conf",
"author":"Jean-Philippe Teissier / @Jipe_ ",
"description":"SpyEye X.Y Plugins memory ",
"date":"2012-05-23 ",
"version":"1.0 ",
"filetype":"memory ",
"Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/usr/share/debconf/debconf.conf has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y Plugins memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ."
}
,
{
"Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d",
"Matched Rule Name": "spyeye",
"Strings to match are": [
"data_end"
],
"Category": ["banker"],
"File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/var/lib/dpkg/info/libc6:amd64.symbols",
"author":"Jean-Philippe Teissier / @Jipe_ ",
"description":"SpyEye X.Y memory ",
"date":"2012-05-23 ",
"version":"1.0 ",
"filetype":"memory ",
"Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/var/lib/dpkg/info/libc6:amd64.symbols has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ."
}
]
}