{"uuid": "7632986e-7a68-4f87-8766-c08cd7c58a51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-3174", "type": "seen", "source": "https://gist.github.com/adegoodyer/4ac687c6d25980f02401cab22a2f9f9e", "content": "# Copy Fail Blocker\n- [Copy Fail Blocker](#copy-fail-blocker)\n  - [Overview](#overview)\n  - [Issue](#issue)\n  - [Resources](#resources)\n  - [Check Vulnerability](#check-vulnerability)\n  - [Deploy Copy Fail Blocker Viability](#deploy-copy-fail-blocker-viability)\n  - [Deploy Copy Fail Blocker](#deploy-copy-fail-blocker)\n  - [Remove Copy Fail Blocker](#remove-copy-fail-blocker)\n\n## Overview\n- BPF-LSM mitigation for the copy fail vulnerability (CVE-2024-3174) in the Linux kernel\n- DaemonSet attaches single BPF-LSM program to the socket_create hook on every node\n- [GitHub: copy-fail-blocker](https://github.com/cozystack/copy-fail-blocker)\n\n## Issue\n- AWS haven't yet release an AMI that includes an upstream fix\n- upgrading to latest AMI version still has container version `kernel6.12-6.12.79-101.147.amzn2023` which is still vulnerable\n\n## Resources\n- [AWS Containers Roadmap](https://github.com/aws/containers-roadmap/issues/2808)\n- [ALSC Status updates](https://explore.alas.aws.amazon.com/CVE-2026-31431.html)\n\n## Check Vulnerability\n```bash\n# ssh into any EKS node\n\n# check for copy fail vulnerability\npython3 -c '\nimport socket\ntry:\n    socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)\n    print(\"FAIL: AF_ALG socket created - not protected\")\nexcept OSError as e:\n    print(\"OK:\", e)'\n\n# FAIL: AF_ALG socket created - not protected\n```\n\n## Deploy Copy Fail Blocker Viability\n```bash\n# check what BPF LSM is compiled in\ngrep CONFIG_BPF_LSM /boot/config-$(uname -r)\n# CONFIG_BPF_LSM=y\n\n# check bpf is in active LSM stack\ncat /sys/kernel/security/lsm\n# lockdown,capability,landlock,yama,safesetid,selinux,bpf,ima\n```\n\n## Deploy Copy Fail Blocker\n```bash\n# deploy copy fail blocker\nk  apply -f https://raw.githubusercontent.com/cozystack/copy-fail-blocker/v0.2.1/manifests/copy-fail-blocker.yaml\n\n# verify rollout\nk -n kube-system rollout status daemonset/copy-fail-blocker\n\n# verify copy fail is blocked\npython3 -c '\nimport socket\ntry:\n    socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)\n    print(\"FAIL: AF_ALG socket created - not protected\")\nexcept OSError as e:\n    print(\"OK:\", e)'\n\n# OK: [Errno 1] Operation not permitted\n```\n\n## Remove Copy Fail Blocker\n- remove once an AMI has been released with fix\n\n```bash\n# remove copy fail blocker\nk delete -f https://raw.githubusercontent.com/cozystack/copy-fail-blocker/v0.2.1/manifests/copy-fail-blocker.yaml\n```\n", "creation_timestamp": "2026-05-06T10:35:54.000000Z"}