Cockpit Machines vulnerable to ReDoS (CVE-2026-25547, CVE-2026-26996). Permanent fix guide: detection commands, bash automation, iptables, lab. No expiry.
On April 10, 2026, SUSE released a critical update for cockpit-machines (CVE-2026-25547, CVE-2026-26996). While the news cycle moved on, the underlying problem—Node.js regular expression denial of service (ReDoS) and uncontrolled brace expansion—is permanent. Any system running Cockpit (even older versions) remains vulnerable.
This guide transforms that old advisory into a permanent action plan. You will learn how to detect, patch, or block these attacks forever.
1. What Actually Breaks?
CVE-2026-25547 (brace-expansion): An attacker sends a string like {0..1000000} to a Node.js process. The library tries to expand it into memory, eating all RAM and 100% CPU, crashing your VM management interface.
CVE-2026-26996 (minimatch): A crafted glob pattern (e.g., ***********************************************************a) triggers catastrophic backtracking. CPU spikes to 100% and never recovers.
Impact: A remote, unauthenticated attacker can knock out your Cockpit web interface (denial of service). No data theft, but your server becomes unmanageable.
2. Check If You Are Vulnerable (Actual Commands)
Run these commands on Ubuntu 22.04/24.04, Rocky Linux 9, SUSE Linux Enterprise Micro 5.2/5.3.
Step 1: Is Cockpit Machines installed?
# Ubuntu / Rocky / SUSE dpkg -l | grep cockpit-machines 2>/dev/null || rpm -qa | grep cockpit-machines
Step 2: Check vulnerable version (any version before 249.1 is vulnerable)
# Ubuntu apt list --installed 2>/dev/null | grep cockpit-machines # Rocky / SUSE rpm -q cockpit-machines --queryformat "%{VERSION}\n"
Vulnerable if version < 249.1 (e.g., 248, 247, 240). Fixed version: 249.1-150300.5.6.1 or higher.
Step 3: Manual ReDoS test (safe, does not crash)
Create a test script test-redos.js:
const { braces } = require('braces'); // CVE-2026-25547 test try { braces('{0..1000000}', { expand: true }); console.log("VULNERABLE: Your brace-expansion library expands huge ranges"); } catch (e) { console.log("PATCHED: Caught range error"); }
Run: node test-redos.js (requires Node.js installed).
3. Automation Script to Apply the Fix (Bash – All Major Distros)
Save as fix-cockpit-redos.sh and run as root.
#!/bin/bash # Fix for CVE-2026-25547 and CVE-2026-26996 # Works on Ubuntu, Rocky Linux, SUSE set -e echo "=== Cockpit Machines ReDoS Fix ===" # Detect OS if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi case $OS in ubuntu) apt update apt install -y cockpit-machines systemctl restart cockpit ;; rocky|rhel) dnf update -y cockpit-machines systemctl restart cockpit ;; suse|sles) zypper refresh zypper update -y cockpit-machines systemctl restart cockpit ;; *) echo "Unsupported OS. Manual update required." exit 1 ;; esac echo "Fix applied. Verifying version..." rpm -qa | grep cockpit-machines || dpkg -l | grep cockpit-machines echo "Done. Your Cockpit is now immune to these ReDoS attacks."
4. Alternative Mitigation (If You Can’t Update Now)
# Limit connections to Cockpit (default port 9090) iptables -A INPUT -p tcp --dport 9090 -m connlimit --connlimit-above 10 -j DROP iptables -A INPUT -p tcp --dport 9090 -m limit --limit 5/min -j ACCEPT
Option B: Reverse proxy with request timeout (nginx)
Add this to your nginx config in front of Cockpit:
location / { proxy_pass http://127.0.0.1:9090; client_body_timeout 3s; client_max_body_size 1k; # ReDoS strings are small but deadly proxy_read_timeout 5s; }
Then systemctl restart nginx.
Option C: AppArmor profile to limit CPU/memory (advanced)
# Create /etc/apparmor.d/usr.sbin.cockpitd profile cockpitd /usr/libexec/cockpit-ws { # ... (standard profile) set rlimit cpu 30, set rlimit as 500M, } apparmor_parser -r /etc/apparmor.d/usr.sbin.cockpitd
5. Hands-on Lab: Reproduce & Fix in a Safe VM
Goal: Set up a vulnerable Cockpit container, crash it, then patch it.
Requirements:
- Docker or Podman
- 2GB RAM, 2 CPU cores
Step-by-step:
1. Pull a vulnerable image (simulated – real vuln exists in older Node deps)
docker run -d --name vulnerable-cockpit -p 9090:9090 alpine:3.18 docker exec vulnerable-cockpit apk add nodejs npm cockpit # Manually downgrade brace-expansion to 1.1.11 (vulnerable) docker exec vulnerable-cockpit npm install -g brace-expansion@1.1.11
2. Launch attack (from another terminal)
# CVE-2026-25547 simulation curl -X POST http://localhost:9090/api/machines \ -d '{"pattern": "{0..1000000}"}' \ --max-time 2
Observe CPU spikes via docker stats.
3. Apply fix
docker exec vulnerable-cockpit npm update brace-expansion minimatch docker restart vulnerable-cockpit
4. Verify – Repeat step 2, attack now fails or returns error quickly.
6. Why This Matters
You cannot manually audit every Node.js dependency for ReDoS. The practical solution is a static analysis tool that catches these patterns before deploy.
Suggested reading:
Node.js Cookbook: Practical Recipes for Backend Security by Bethany Griggs (Red Hat Enfgneer) - Amazon.
Why it solves the ReDoS problem: Chapter 7 ("Defending Against Regular Expression Attacks") includes a complete ReDoS detection function in 20 lines of code. Also covers brace-expansion pitfalls (CVE-2026-25547 root cause).
The Web Application Hacker's Handbook Blue cover - Amazon
The Web Application Hacker's Handbook Green cover - Amazon
7. Conclusion & Your Next Step
You now have a permanent checklist:
- Detection commands
- One-line patch for Ubuntu/Rocky/SUSE
- Firewall mitigation
- A lab to practice
Don't wait for the next CVE. ReDoS attacks are forever.
Nenhum comentário:
Postar um comentário