Skip to content

Releases: cainepavl/vulnScan

v0.3.0 — Privilege Escalation Module

26 May 23:33
@cainepavl cainepavl
v0.3.0
9d34567

Choose a tag to compare

View all tags
v0.3.0 — Privilege Escalation Module Latest
Latest

What's New

Module 9 — Privilege Escalation (Kernel CVEs & Sudo Vectors)

A new ninth check category has been added to vulnScan.sh covering local privilege escalation (LPE) paths.

Kernel CVE Checks

CVE Name Summary Fixed In
CVE-2022-27666 ESP Heap Overflow Heap buffer overflow in IPsec esp4/esp6 — local LPE kernel ≥ 5.16.15
CVE-2026-31431 Copy Fail algif_aead page-cache write → overwrite setuid binaries 6.18.22 / 6.19.12 / 7.0+
CVE-2026-43284 Dirty Frag ESP Memory corruption in IPsec ESP fragmentation path Per-LTS branch (5.10.255, 5.15.205, 6.1.171, 6.6.138, 6.12.87, 6.18.28, 7.0.5+)
CVE-2026-43500 Dirty Frag rxrpc Same class of bug in AF_RXRPC subsystem 6.18.29+ / 7.0.6+

Each CVE check escalates WARN → FAIL when the relevant kernel module is actively loaded, and appends a verification note for RHEL-family kernels.

Sudo Auditing

  • NOPASSWD detection — FAIL if any uncommented NOPASSWD entry exists in sudoers
  • gtfobins scan — WARN for 20 binaries (vim, python, find, perl, bash, etc.) that allow shell escape when invoked via sudo
  • Missing defaults — WARN if env_reset or secure_path are absent

Linux File Capabilities

  • FAIL for cap_setuid / cap_sys_admin on any binary
  • WARN for cap_dac_override, cap_dac_read_search, cap_net_raw, cap_net_bind_service
  • Gracefully skipped if getcap is not installed

Other Changes

  • Added version_lt() semver comparison helper (uses GNU sort -V)
  • All prior module headers renumbered 1/8–8/81/9–8/9
  • CLAUDE.md and README.md updated to reflect 9 categories

Full Changelog

v0.2.0...v0.3.0

Assets 2
Loading

v0.2.0 — apply-hardening.sh

18 May 23:17
@cainepavl cainepavl
v0.2.0
6a10e0d

Choose a tag to compare

View all tags
v0.2.0 — apply-hardening.sh

What's New

apply-hardening.sh — companion remediation script

Run this after the audit to automatically apply the most common fixes:

sudo bash apply-hardening.sh

Applies 4 hardening steps in order:

  1. Kernel sysctl — writes /etc/sysctl.d/99-hardening.conf with ~15 hardened parameters and applies them live via sysctl --system (no reboot needed)
  2. SSH hardening — sets PermitRootLogin no, MaxAuthTries 3, X11Forwarding no; validates with sshd -t before restarting
  3. Password & lockout policyminlen = 14 (pwquality), deny = 5 (faillock)
  4. Unnecessary services — disables cups, cups-browsed, avahi-daemon, bluetooth

Safe to re-run (idempotent). Creates timestamped backups before every edit.

ShellCheck

Both scripts verified clean — zero warnings across vulnScan.sh and apply-hardening.sh.

Full Changelog

v0.1.0...v0.2.0

Loading