Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability might impact users or automated system that are building Falco from source.
Basically, it was noticed that some dependencies in the CMake-files were download via hard-coded HTTP links. Since the dowload happened via a clear-text connection, an attacker with Man-in-the-Middle capabilities could spoof the connection to dowload malicius content instead of the legitimate dependencies.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by #774 on Aug 17, 2019.
The patch is part of the 0.18.0 release.
Users who had built Falco from the source before the fix should build it again using a version of the source code either greater than or equal to 0.18.0 or that includes the above-mentioned patch.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually patch CMake-files ensuring all dependencies are pulled via HTTPS links.
References
Are there any links users can visit to find out more?
This vulnerability was initially reported in this security audit and it's identified by the ID FAL-01-004.
For more information
If you have any questions or comments about this advisory:
fntlnz Analyst
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability might impact users or automated system that are building Falco from source.
Basically, it was noticed that some dependencies in the CMake-files were download via hard-coded HTTP links. Since the dowload happened via a clear-text connection, an attacker with Man-in-the-Middle capabilities could spoof the connection to dowload malicius content instead of the legitimate dependencies.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by #774 on Aug 17, 2019.
The patch is part of the 0.18.0 release.
Users who had built Falco from the source before the fix should build it again using a version of the source code either greater than or equal to 0.18.0 or that includes the above-mentioned patch.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually patch CMake-files ensuring all dependencies are pulled via HTTPS links.
References
Are there any links users can visit to find out more?
This vulnerability was initially reported in this security audit and it's identified by the ID
FAL-01-004.For more information
If you have any questions or comments about this advisory: