insomnisec/Detections-CVE-2026-31431

# CVE-2026-31431 "Copy Fail" — 检测与响应包 **发布日期：** 2026-04-30 **CVSSv3：** 7.8 (高危) **类型：** 本地权限提升 (LPE) **子系统：** Linux 内核 `algif_aead` / `authencesn` 加密模板 **受影响版本：** Linux 内核 4.14 – 6.18.21（几乎涵盖 2017 年以来的所有发行版） **参考链接：** - [Xint/Theori 分析文章](https://xint.io/blog/copy-fail-linux-distributions) - [官方 PoC](https://github.com/theori-io/copy-fail-CVE-2026-31431) - [oss-security 披露](https://seclists.org/oss-sec/2026/q2/281) - [copy.fail](https://copy.fail) ## 目录 1. [漏洞概述](#vulnerability-summary) 2. [漏洞利用原理](#how-the-exploit-works) 3. [检测局限性](#detection-limitations) 4. [紧急缓解措施](#immediate-mitigation) 5. [YARA 规则](#yara-rule) 6. [Auditd 规则](#auditd-rules) 7. [Wazuh 规则](#wazuh-rules) 8. [MISP 事件模板](#misp-event-template) 9. [补丁与修复](#patching--remediation) 10. [关键 IoC 参考](#key-iocs-reference) ## 漏洞概述 CVE-2026-31431 是在内核 4.14（2017 年）中引入的一个逻辑缺陷，由三个独立的变更交汇导致： 1. `authencesn` 模板（为支持 IPsec ESN 于 2011 年添加）在其输出缓冲区边界之后写入了 4 字节的临时数据。 2. `AF_ALG` 在 2015 年增加了 AEAD 支持，允许用户空间通过来自页缓存文件的 `splice()` 提交数据。 3. 2017 年，`algif_aead.c` 被优化为就地操作（`req->src == req->dst`），将活跃的页缓存页面放入可写的分散列表 (scatterlist) 中。 导致的结果：无特权用户可以将精确受其控制的 4 字节数据写入内核页缓存中的任何可读文件副本——包括 setuid 二进制文件和 `/etc/passwd`——而无需触及磁盘上的文件。可用的 PoC 是一个 732 字节的 Python 脚本。没有竞态条件。不需要针对特定发行版的偏移量。在 Ubuntu、RHEL、Amazon Linux 和 SUSE 上均稳定有效。 ## 漏洞利用原理 ``` Attacker opens AF_ALG socket (family 38, type 5) └─ Binds to "authencesn(hmac(sha256),cbc(aes))" └─ Sets SOL_ALG (279) options including key and authsize └─ Accepts a connection socket Attacker opens target file (e.g., /etc/passwd) read-only └─ Uses splice() to feed page-cache pages into the AEAD socket's RX buffer └─ Sends crafted AAD via sendmsg() — bytes 4–7 of AAD = attacker-controlled write value authencesn performs in-place decryption: └─ scatterwalk_map_and_copy writes seqno_lo into the chained page-cache page └─ recvmsg() returns an error (HMAC fails — expected), but the write already happened Page-cache now contains attacker-modified copy of the file └─ Kernel executes from page-cache, not disk └─ On-disk file is UNCHANGED — file integrity tools see nothing ``` 该 PoC 的攻击目标是 `/etc/passwd`：它会找到当前运行用户的 UID 字段偏移量，并用 `0000` 覆盖它，然后调用 `su` 以获取 root shell。 ## 检测局限性 此漏洞利用具有两个显著限制检测覆盖范围的特性： **1. 写入目标是页缓存，而不是文件系统。** 任何监控文件系统事件的检测工具——`inotify`、`fanotify`、AIDE、Tripwire、auditd 路径监控——都**不会**观察到此次修改。磁盘上的文件从未被写入。这意味着，针对 `/usr/bin/su` 或 `/etc/passwd` 的 auditd 路径监控中的 `-p w`（写入）标志将无法捕获到实际的漏洞利用写入行为。 **2. 该机制使用了合法的内核接口。** `AF_ALG` 套接字、`splice()` 和 `authencesn` 都有其合法用途（IPsec、内核自检、sendfile 风格的 I/O）。检测必须重点关注这些原语的*组合使用*，而不是孤立地看待任何一个，并且在运行 IPsec 或进行内核加密测试的系统上应预期会出现误报。 **检测手段 CAN（可以）捕获的内容：** - `socket(AF_ALG, SOCK_SEQPACKET, 0)` 系统调用 - 与上述操作相关的 `splice()` 系统调用，尤其是在接近访问 setuid 二进制文件时 - PoC 脚本本身（通过 YARA） - 进程内存或脚本文件中特定的 `authencesn(hmac(sha256),cbc(aes))` 算法字符串 **检测手段 CANNOT（无法）捕获的内容：** - 实际的页缓存写入（内存中操作，无文件系统事件） - 漏洞利用后对被修改页缓存条目的使用（看起来像是一次正常的 `su` 或 `passwd` 调用） - 避免使用 Python 或特定算法字符串的攻击变体 ## 紧急缓解措施 在部署检测规则之前，请在任何未打补丁的主机上应用此缓解措施： ``` # 禁用 algif_aead 内核模块 — 彻底阻断 exploit 原语 echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf sudo rmmod algif_aead 2>/dev/null || true ``` **使用官方检测工具验证缓解措施是否已生效**： ``` # Exit 0 = 未受影响 / 已缓解 # Exit 2 = 存在漏洞 python3 test_cve_2026_31431.py ``` ## YARA 规则 另存为 `cve_2026_31431.yar` ``` rule CVE_2026_31431_CopyFail_PoC_HighConfidence { meta: description = "High-confidence match: CVE-2026-31431 Copy Fail PoC or close variant" author = "Detection Engineering" reference = "https://xint.io/blog/copy-fail-linux-distributions" cve = "CVE-2026-31431" date = "2026-04-30" severity = "High" cvss = "7.8" strings: // Algorithm string unique to this exploit path — very high fidelity $alg_full = "authencesn(hmac(sha256),cbc(aes))" ascii // Specific socket call signature from PoC: AF_ALG=38, SOCK_SEQPACKET=5 $socket_call = "socket(38,5,0)" ascii // SOL_ALG socket option (decimal 279) $solalg = "setsockopt(279" ascii // Hex key/iv payload written via setsockopt in PoC $key_payload = "0800010000000010" ascii // splice() usage in context of AEAD operations $splice = "splice(" ascii // Target indicators from PoC (page-cache corruption targets) $target_passwd = "/etc/passwd" ascii $target_su = "/usr/bin/su" ascii // AF_ALG aead bind strings $aead_bind = "\"aead\"" ascii condition: // High-confidence: unique algorithm string alone is sufficient $alg_full or // Medium-confidence: socket primitive + option number ($socket_call and $solalg) or // Medium-confidence: splice into AEAD socket targeting a setuid path ($aead_bind and $splice and ($target_passwd or $target_su)) or // PoC hex payload present alongside splice ($key_payload and $splice) } rule CVE_2026_31431_CopyFail_Mechanism { meta: description = "Behavioral: AF_ALG AEAD + splice combination suggestive of CVE-2026-31431 technique" author = "Detection Engineering" reference = "https://xint.io/blog/copy-fail-linux-distributions" cve = "CVE-2026-31431" date = "2026-04-30" severity = "Medium" note = "Higher false positive rate than HighConfidence rule — review matches in context" strings: $authencesn = "authencesn" ascii nocase $af_alg_num = "socket(38" ascii $sol_alg_num = "279" ascii $splice = "splice(" ascii condition: ($authencesn and $splice) or ($af_alg_num and $sol_alg_num and $splice) } ``` ## Auditd 规则 另存为 `/etc/audit/rules.d/cve-2026-31431.rules` 重新加载： ``` sudo augenrules --load # 或在较旧的系统上： sudo auditctl -R /etc/audit/rules.d/cve-2026-31431.rules ``` ``` ## ============================================================ ## CVE-2026-31431 "Copy Fail" — Auditd 检测规则 ## ============================================================ ## 这些规则捕获了 exploit 的机制（socket + ## splice 系统调用）以及相关的 /etc/passwd 访问模式。 ## ## 重要提示：这些规则不会检测到 page-cache 写入 ## 本身 — 这是一个不涉及文件系统事件的内存中操作。对 ## setuid 二进制文件或 /etc/passwd 的文件路径监控 (-w) ## 不会在 exploit 写入时触发。 ## ## 关联多个 audit.key 值的规则命中情况以构建信号： ## 命中 afalg_socket 后紧接着命中来自同一进程的 ## splice_syscall 是一个强烈的指标。 ## ============================================================ ## --- 核心 exploit 原语：AF_ALG socket 创建 --- ## 监控 socket(2) 系统调用，其中 a0 = 0x26 (38 十进制 = AF_ALG) ## 这是 exploit 攻击链的第一步。 -a always,exit -F arch=b64 -S socket -F a0=0x26 -k cve_2026_31431_afalg_socket -a always,exit -F arch=b32 -S socket -F a0=0x26 -k cve_2026_31431_afalg_socket ## --- splice() 系统调用监控 --- ## splice() 用于将 page-cache 页面馈送到 AEAD socket。 ## 注意：splice() 通常用于类似 sendfile 的操作。 ## 请将其与来自同一 PID 的 cve_2026_31431_afalg_socket 命中关联起来。 -a always,exit -F arch=b64 -S splice -k cve_2026_31431_splice -a always,exit -F arch=b32 -S splice -k cve_2026_31431_splice ## --- /etc/passwd 访问监控 --- ## PoC 读取 /etc/passwd 以定位 UID 字段偏移量。 ## 此处保留读取访问权限 (-p r) 是因为其目的在于 ## 将此读取与上面的 AF_ALG socket 键相关联， ## 而不是将此监控用作独立警报。 -w /etc/passwd -p rwa -k cve_2026_31431_passwd_access ## --- setuid 二进制文件执行监控 --- ## 检测在 page-cache 被修改后执行 su 的行为。 ## page-cache 写入使得 su 以 root 权限执行；这捕获到的是 ## exploit 的结果，而不是写入操作本身。 -w /usr/bin/su -p xa -k cve_2026_31431_su_exec -w /usr/bin/sudo -p xa -k cve_2026_31431_sudo_exec ## --- algif_aead 模块状态监控 --- ## exploit 需要加载 algif_aead。 ## 监控 modprobe 有助于检测在先前已将其禁用作为缓解措施的系统上 ## 尝试加载该模块的行为， ## 并确认缓解措施是否正在被绕过。 -a always,exit -F arch=b64 -S finit_module -S init_module -k cve_2026_31431_module_load -w /etc/modprobe.d -p wa -k cve_2026_31431_modprobe_conf ``` ### 查询关联事件 部署规则后，使用 `ausearch` 在时间窗口内关联不同键值的命中情况： ``` # 查找过去一小时内的所有 CVE-2026-31431 相关事件 sudo ausearch -k cve_2026_31431_afalg_socket -k cve_2026_31431_splice \ --start recent -i | aureport --interpret # 检查特定 PID 是否同时命中了 AF_ALG 和 splice sudo ausearch -k cve_2026_31431_afalg_socket --start today -i \ | grep 'pid=' | awk -F'pid=' '{print $2}' | awk '{print $1}' | sort -u \ | while read pid; do sudo ausearch -k cve_2026_31431_splice --start today -i | grep "pid=$pid" \ && echo "[!] PID $pid hit both AF_ALG and splice — investigate" done ``` ## Wazuh 规则 另存为本地规则文件（通常为 `/var/ossec/etc/rules/local_rules.xml`）。 ``` auditd cve_2026_31431_afalg_socket CVE-2026-31431 Copy Fail: AF_ALG socket (family 38) created by unprivileged process cve,privilege_escalation,linux,kernel,crypto, auditd cve_2026_31431_splice CVE-2026-31431 Copy Fail: splice() syscall detected — monitor for correlation with AF_ALG socket rule cve,privilege_escalation,linux,kernel, 112001 auditd cve_2026_31431_splice audit.pid CVE-2026-31431 Copy Fail CRITICAL: AF_ALG socket creation followed by splice() from same process — active exploitation likely cve,privilege_escalation,linux,kernel,crypto,high_confidence, 112001 auditd cve_2026_31431_passwd_access CVE-2026-31431 Copy Fail: /etc/passwd access following AF_ALG socket creation — consistent with PoC target selection cve,privilege_escalation,linux,kernel, 112001 auditd cve_2026_31431_su_exec|cve_2026_31431_sudo_exec CVE-2026-31431 Copy Fail: su/sudo execution following AF_ALG socket creation — possible post-exploitation cve,privilege_escalation,linux,kernel, auditd cve_2026_31431_module_load ^.*(python|python3|insmod|modprobe).*$ CVE-2026-31431 Copy Fail: Kernel module load attempt — verify algif_aead mitigation has not been bypassed cve,privilege_escalation,linux,kernel, auditd cve_2026_31431_modprobe_conf CVE-2026-31431 Copy Fail: /etc/modprobe.d modified — verify algif_aead disable config has not been removed cve,privilege_escalation,linux,kernel, ``` ## MISP 事件模板 另存为 `misp_cve_2026_31431.json` 并通过 MISP → Events → Import 导入。 ``` { "Event": { "uuid": "7f3a2d1e-8b4c-4f9a-a3e2-6d5c1b8e9f0a", "info": "CVE-2026-31431 Copy Fail — Linux LPE via authencesn page-cache write", "threat_level_id": "2", "analysis": "2", "date": "2026-04-30", "Attribute": [ { "type": "vulnerability", "category": "External analysis", "to_ids": false, "uuid": "1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d", "comment": "CVE identifier", "value": "CVE-2026-31431" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e", "comment": "Vulnerability description", "value": "Logic flaw in Linux kernel authencesn cryptographic template. An unprivileged local user can write 4 attacker-controlled bytes into the page cache of any readable file via AF_ALG + splice(), enabling local privilege escalation. No race condition required. Affects kernels 4.14 through 6.18.21." }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f", "comment": "Attack vector summary", "value": "socket(38, 5, 0) [AF_ALG/SOCK_SEQPACKET] → bind authencesn(hmac(sha256),cbc(aes)) → setsockopt(SOL_ALG/279) → splice() page-cache pages into AEAD socket → 4-byte controlled write into page cache of target file" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a", "comment": "Affected kernel range", "value": "Linux kernel 4.14 (commit 72548b093ee3) through 6.18.21" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b", "comment": "Introducing commit (root cause)", "value": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7 — algif_aead in-place AEAD optimization (2017)" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "6f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c", "comment": "Fix commit — kernel 6.18.22 stable", "value": "fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d", "comment": "Fix commit — kernel 6.19.12 stable", "value": "ce42ee423e58dffa5ec03524054c9d8bfd4f6237" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e", "comment": "Fix commit — kernel 7.0 mainline", "value": "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f", "comment": "IoC: Socket family (AF_ALG)", "value": "socket family 38 (AF_ALG)" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a", "comment": "IoC: Socket type (SOCK_SEQPACKET)", "value": "socket type 5 (SOCK_SEQPACKET)" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "1e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b", "comment": "IoC: Socket option (SOL_ALG = 279)", "value": "setsockopt level 279 (SOL_ALG)" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "2f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c", "comment": "IoC: Algorithm string (highest fidelity)", "value": "authencesn(hmac(sha256),cbc(aes))" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d", "comment": "IoC: Primary PoC target file", "value": "/etc/passwd (UID field offset targeted by PoC)" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "4b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9e", "comment": "IoC: Secondary targets (setuid binaries)", "value": "/usr/bin/su, /usr/bin/sudo" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "5c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0f", "comment": "Immediate mitigation", "value": "echo 'install algif_aead /bin/false' > /etc/modprobe.d/disable-algif-aead.conf && rmmod algif_aead" }, { "type": "url", "category": "External analysis", "to_ids": false, "uuid": "6d7e8f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1a", "comment": "Official write-up", "value": "https://xint.io/blog/copy-fail-linux-distributions" }, { "type": "url", "category": "External analysis", "to_ids": false, "uuid": "7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b", "comment": "Official PoC repository", "value": "https://github.com/theori-io/copy-fail-CVE-2026-31431" } ], "Object": [ { "name": "vulnerability", "meta-category": "vulnerability", "Attribute": [ { "type": "vulnerability", "object_relation": "id", "value": "CVE-2026-31431" }, { "type": "cvss-score", "object_relation": "cvss-score", "value": "7.8" }, { "type": "text", "object_relation": "summary", "value": "Linux kernel authencesn LPE via AF_ALG + splice() page-cache write" } ] } ] } } ``` ## 补丁与修复 ### 内核补丁 | 分支 | 修复版本 | 修复提交 | |--------|--------------|------------| | Stable 6.18.x | 6.18.22 | `fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8` | | Stable 6.19.x | 6.19.12 | `ce42ee423e58dffa5ec03524054c9d8bfd4f6237` | | Mainline | 7.0 | `a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5` | 该修复将 `algif_aead.c` 中 2017 年引入的就地 AEAD 优化还原为非就地操作，确保页缓存页面不会被放入可写的分散列表中。 ### 发行版特定指南 | 发行版 | 操作 | |---|---| | Ubuntu | `apt-get update && apt-get upgrade linux-image-generic`；查看 USN 公告 | | RHEL / Rocky / Alma | `dnf update kernel`；查看 RHSB 公告 | | Amazon Linux 2023 | `dnf update kernel`；查看 ALAS 公告 | | SUSE / openSUSE | `zypper update kernel-default`；查看 SUSE SA 公告 | | Debian | 查看安全追踪器；向后移植的补丁可能会在内核更新之前发布 | | Arch | `pacman -Syu`（滚动更新；在上游修复发布时直接获取） | ### 暴露后的完整性验证 如果您怀疑主机在打补丁之前已遭到漏洞利用： ``` # 1. 检查 /etc/passwd 的 UID 字段是否已被篡改 # （与已知的良好备份或辅助主机进行比较） awk -F: '$3 ~ /^0+$/ && $1 != "root" {print "SUSPICIOUS UID 0 ENTRY:", $0}' /etc/passwd # 2. 丢弃 page cache 以清除任何内存中的修改 # 警告：这会暂时影响性能 sync && echo 3 | sudo tee /proc/sys/vm/drop_caches # 3. 根据 package manager 验证 setuid 二进制文件 rpm -Va --nomtime 2>/dev/null | grep -E '^.{0,8}5.*su$|^.{0,8}5.*sudo$' # RHEL/rpm debsums -s 2>/dev/null | grep -E 'su|sudo' # Debian/Ubuntu # 4. 重新检查最近记录的 su/sudo 调用，以排查意外的 UID 转换 journalctl -u sudo --since "48 hours ago" | grep "session opened for user root" ``` ## 关键 IoC 参考 | 指标 | 值 | 可信度 | |---|---|---| | AF_ALG 套接字族 | `38` (传给 `socket()` 的第一个参数) | 中 —— 存在合法用途 | | 套接字类型 | `5` (SOCK_SEQPACKET) | 中 | | SOL_ALG 选项级别 | `279` (传给 `setsockopt()` 的第一个参数) | 中 | | 算法字符串 | `authencesn(hmac(sha256),cbc(aes))` | **高** —— 在 IPsec ESN 之外极为罕见 | | 系统调用链 | `socket(38)` → `setsockopt(279)` → `splice()` | **高** | | PoC 关键载荷 | `0800010000000010` (十六进制，位于 setsockopt 中) | **高** (针对已知 PoC) | | 主要 PoC 目标 | `/etc/passwd` UID 字段 | 中 | | 次要目标 | `/usr/bin/su`, `/usr/bin/sudo` | 中 | | 内核模块 | `algif_aead` | 视情况而定 | *本检测包基于官方 PoC 维护，地址为 [theori-io/copy-fail-CVE-2026-31431](https://github.com/theori-io/copy-fail-CVE-2026-31431)。如果您观察到这些规则未涵盖的漏洞利用变体，请在主 POC 仓库中开启一个 issue。*

标签：AF_ALG, Auditd, CSV导出, CVE-2026-31431, DNS 解析, GitHub Advanced Security, LPE, PB级数据处理, PoC, Wazuh, Web报告查看器, YARA, 云资产可视化, 内核漏洞, 加密子系统, 协议分析, 威胁情报, 安全加固, 安全渗透, 安全运维, 开发者工具, 暴力破解, 本地提权, 权限提升, 流量嗅探, 漏洞响应, 网络安全, 隐私保护, 页面缓存