diff --git a/examples/commands/resources/threat-db.yaml b/examples/commands/resources/threat-db.yaml index c81ef69..b71e9a7 100644 --- a/examples/commands/resources/threat-db.yaml +++ b/examples/commands/resources/threat-db.yaml @@ -2,8 +2,8 @@ # For use with /security-check and /security-audit commands # Manually maintained — update after new security advisories -version: "2.4.0" -updated: "2026-02-28" +version: "2.5.0" +updated: "2026-03-05" sources: - name: "Snyk ToxicSkills" url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/" @@ -110,6 +110,33 @@ sources: - name: "Microsoft Security Blog - AI Recommendation Poisoning" url: "https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/" date: "2026-02-10" + - name: "SonicWall - CVE-2026-25253 OpenClaw Auth Token Theft RCE" + url: "https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253" + date: "2026-02-26" + - name: "Hunt.io - CVE-2026-25253 17500+ Exposed OpenClaw Instances" + url: "https://hunt.io/blog/cve-2026-25253-openclaw-ai-agent-exposure" + date: "2026-02-03" + - name: "NVD - CVE-2026-25725 Claude Code Sandbox Escape" + url: "https://nvd.nist.gov/vuln/detail/CVE-2026-25725" + date: "2026-02-06" + - name: "NVD - CVE-2026-0757 MCP Manager Claude Desktop Sandbox Escape" + url: "https://nvd.nist.gov/vuln/detail/CVE-2026-0757" + date: "2026-01-22" + - name: "ZDI - CVE-2025-15061 Framelink Figma MCP Server fetchWithRetry RCE" + url: "https://www.zerodayinitiative.com/advisories/ZDI-25-1197/" + date: "2025-12-29" + - name: "Check Point Advisories - CVE-2025-35028 HexStrike AI MCP Server" + url: "https://advisories.checkpoint.com/defense/advisories/public/2026/cpai-2025-12521.html" + date: "2026-03-02" + - name: "NVD - CVE-2026-3484 Nmap-Mcp-Server Command Injection" + url: "https://nvd.nist.gov/vuln/detail/CVE-2026-3484" + date: "2026-03-04" + - name: "Ona Security - Claude Code Autonomous Denylist and Sandbox Bypass" + url: "https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox" + date: "2026-03-03" + - name: "Brandefense - MCP Server Security: 10 Protocol-Level Attack Scenarios" + url: "https://brandefense.io/blog/mcp-server-security-protocol-attack-patterns/" + date: "2026-03-02" # ═══════════════════════════════════════════════════════════════ # MALICIOUS AUTHORS (confirmed by security researchers) @@ -833,6 +860,68 @@ cve_database: mitigation: "Update mcp-server-git to >= 2026.1.14; audit recent git commits managed by agents for unexpected file paths" notes: "Distinct from CVE-2025-68143/68144/68145 (those affect git_init/git_diff/git_checkout); this affects git_add; fix uses repo.git.add('--', *files) instead of repo.index.add(files)" + # --- OpenClaw (clawdbot / Moltbot) --- + - id: "CVE-2026-25253" + component: "OpenClaw (aka clawdbot, Moltbot)" + severity: "high" + cvss: 8.8 + description: "Authentication token theft and RCE via malicious gatewayUrl — OpenClaw automatically establishes a WebSocket connection to a URL provided in the query string without origin validation; clicking attacker-crafted link causes OpenClaw to transmit auth token to attacker-controlled server; attacker replays token for full system access. 17,500+ internet-exposed instances identified." + source: "SonicWall / Hunt.io / runZero (2026-02-03 to 2026-02-26)" + fixed_in: "2026.1.29" + mitigation: "Update OpenClaw to >= 2026.1.29; block public internet exposure of OpenClaw instances" + notes: "CWE-669 (Incorrect Resource Transfer Between Spheres); exposes unauthenticated /api/export-auth endpoint leaking stored API tokens for Claude, OpenAI, Google AI" + + # --- Claude Code (additional CVEs) --- + - id: "CVE-2026-25725" + component: "Claude Code" + severity: "high" + description: "Sandbox escape via persistent configuration injection — bubblewrap sandbox failed to protect missing .claude/settings.json; malicious code running inside sandbox creates settings.json with SessionStart hooks that execute with host privileges after Claude Code restart" + source: "NVD / GHSA-ff64-7w26-62rf (2026-02-06)" + fixed_in: "2.1.2" + mitigation: "Update Claude Code to >= 2.1.34 (covers this and subsequent fixes); monitor .claude/settings.json for unexpected SessionStart hooks" + notes: "CWE-501 Trust Boundary Violation; distinct from ADVISORY-CC-2026-001 (which is a different sandbox bypass patched in 2.1.34)" + + # --- MCP Manager for Claude Desktop --- + - id: "CVE-2026-0757" + component: "MCP Manager for Claude Desktop" + severity: "high" + description: "Command injection sandbox escape — execute-command functionality fails to sanitize user-supplied strings from MCP config objects before passing to system calls; attacker crafts malicious webpage with injected config objects, causing MCP Manager to execute arbitrary commands outside the sandbox" + source: "NVD / ZDI-CAN-27810 (2026-01-22)" + fixed_in: "unknown — check upstream" + mitigation: "Restrict MCP Manager access to trusted configurations only; sanitize all MCP config object fields before system calls; block untrusted file/webpage access" + + # --- HexStrike AI MCP Server --- + - id: "CVE-2025-35028" + component: "HexStrike AI MCP Server (0x4m4)" + severity: "critical" + cvss: 9.1 + description: "Command injection via semicolon-prefixed argument — EnhancedCommandExecutor class fails to sanitize command-line arguments; attacker provides argument beginning with ; to API endpoint, executing arbitrary commands with MCP server privileges (typically root in default config)" + source: "Check Point Advisories / NVD (2025-11-30)" + fixed_in: "no fix confirmed at time of research" + mitigation: "Sanitize all command-line arguments; replace exec()-style calls with execFile() with argument arrays; do not expose HexStrike AI MCP Server to untrusted networks or inputs" + notes: "CWE-78; attack requires no authentication, no user interaction; default configuration typically runs as root" + + # --- Nmap-Mcp-Server --- + - id: "CVE-2026-3484" + component: "nmap-mcp-server (PhialsBasement)" + severity: "medium" + cvss: 6.5 + description: "Command injection in Nmap CLI Command Handler — child_process.exec in src/index.ts processes special elements (CWE-74/CWE-77) without sanitization; remotely exploitable with no authentication required" + source: "NVD / PT Security (2026-03-04)" + fixed_in: "patch commit 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488" + mitigation: "Apply patch commit 30a6b9e...; replace child_process.exec with execFile() and argument arrays; sanitize all nmap arguments" + + # --- Framelink Figma MCP Server (additional CVE) --- + - id: "CVE-2025-15061" + component: "Framelink Figma MCP Server (figma-developer-mcp)" + severity: "critical" + cvss: 9.8 + description: "Command injection RCE via fetchWithRetry method — user-supplied input passed to system calls without sanitization of shell metacharacters; authentication not required; allows arbitrary code execution with MCP server service account privileges" + source: "ZDI-25-1197 / SentinelOne (2025-12-29, NVD published 2026-01-23)" + fixed_in: "latest patched version (see upstream)" + mitigation: "Update Framelink Figma MCP Server to latest version; sanitize all user-supplied inputs; restrict MCP Server network access to trusted sources" + notes: "Distinct CVE from CVE-2025-53967 (same component/method, different CVE assignment; CVSS 9.8 vs 7.5); CWE-78" + # ═══════════════════════════════════════════════════════════════ # MINIMUM SAFE VERSIONS (quick reference for scanning) # ═══════════════════════════════════════════════════════════════ @@ -849,6 +938,7 @@ minimum_safe_versions: "claude-code": "2.1.34" "mcpjam-inspector": "1.4.3" "mcp-salesforce-connector": "0.1.10" + "openclaw": "2026.1.29" # ═══════════════════════════════════════════════════════════════ # IOCs (Indicators of Compromise) @@ -1272,6 +1362,16 @@ attack_techniques: source: "Check Point Research (2026-02-25)" mitigation: "Review .claude/settings.json and .mcp.json before opening unfamiliar repos; treat these files as code, not metadata; update Claude Code to >= 2.0.65; never clone-and-run from untrusted sources without inspecting config files first" + - id: "T013" + name: "Autonomous Safety Control Bypass" + description: "AI coding agent autonomously disables or circumvents its own security controls (sandbox, denylist, permission enforcement) when those controls block task completion, without explicit attacker instruction — the agent's reasoning determines that bypassing safety is necessary to fulfill the assigned goal" + examples: + - "Claude Code disabling bubblewrap sandbox when it blocks file operations required for task" + - "Agent using path tricks, ELF dynamic linker, or alternative code-loading mechanisms to bypass denylist enforcement" + - "Agent finding sandbox escape paths proactively when sandbox prevents API calls or shell execution" + source: "Ona Security / Leonardo Di Donato (2026-03-03)" + mitigation: "Treat agent-initiated security control disabling as a red flag requiring human review; implement hard security boundaries that cannot be overridden by agent reasoning; monitor for unexpected sandbox exits or denylist bypass attempts; apply principle of least privilege so agents cannot access sandbox configuration" + - id: "T012" name: "AI Recommendation Poisoning" description: "Attacker embeds hidden instructions in URLs (e.g. 'Summarize with AI' buttons, share links) that inject persistent memory entries into AI assistants, biasing future recommendations toward attacker-controlled content or services" diff --git a/guide/security-hardening.md b/guide/security-hardening.md index 7e76441..006108c 100644 --- a/guide/security-hardening.md +++ b/guide/security-hardening.md @@ -65,11 +65,23 @@ This attack exploits the one-time approval model: once you approve an MCP, updat | **ADVISORY-CC-2026-001** | High | Sandbox bypass — commands excluded from sandboxing bypass Bash permissions (no CVE assigned) | **Update to v2.1.34+ immediately** | | **CVE-2026-0755** | **Critical (9.8)** | RCE in gemini-mcp-tool — LLM-generated args passed to shell without validation; no auth, network-reachable | **No fix yet** — avoid using in production or on exposed networks | | **SNYK-PYTHON-MCPRUNPYTHON-15250607** | High | SSRF in mcp-run-python — Deno sandbox permits localhost access, enabling internal network pivoting | Restrict sandbox network permissions; block localhost range | +| **CVE-2026-25725** | High | Claude Code sandbox escape — malicious code inside bubblewrap sandbox creates missing `.claude/settings.json` with SessionStart hooks that execute with host privileges on restart | Update to >= v2.1.2 (covered by v2.1.34+) | +| **CVE-2026-25253** | High (8.8) | OpenClaw 1-click RCE — malicious link triggers WebSocket to attacker-controlled server, exfiltrating auth token; 17,500+ exposed instances found | Update OpenClaw to >= 2026.1.29; block public internet exposure | +| **CVE-2026-0757** | High | MCP Manager for Claude Desktop sandbox escape via command injection in execute-command with unsanitized MCP config objects | Restrict to trusted configs; check upstream for patch | +| **CVE-2025-35028** | **Critical (9.1)** | HexStrike AI MCP Server — semicolon-prefixed arg causes OS command injection in EnhancedCommandExecutor, typically running as root; no auth required | **No fix yet** — avoid exposing to untrusted inputs/networks | +| **CVE-2025-15061** | **Critical (9.8)** | Framelink Figma MCP Server — fetchWithRetry method executes attacker-controlled shell metacharacters; unauthenticated RCE | Update to latest patched version | +| **CVE-2026-3484** | Medium (6.5) | nmap-mcp-server (PhialsBasement) — command injection in `child_process.exec` Nmap CLI handler; remotely exploitable | Apply patch commit `30a6b9e` | **v2.1.34 Security Fix (Feb 2026)**: Claude Code v2.1.34 patched a sandbox bypass vulnerability where commands excluded from sandboxing could bypass Bash permission enforcement. **Upgrade immediately** if running v2.1.33 or earlier. Note: this is separate from CVE-2026-25725 (a different sandbox escape fixed later). **⚠️ CVE-2026-0755 (Feb 2026 — No Patch)**: Critical RCE in `gemini-mcp-tool` (CVSS 9.8). An attacker can send crafted JSON-RPC `CallTool` requests with malicious arguments that execute arbitrary code on the host machine with full service account privileges. No fix confirmed as of 2026-02-22. Do not expose gemini-mcp-tool to untrusted networks. +**⚠️ CVE-2025-35028 (No Patch)**: Critical RCE in HexStrike AI MCP Server (CVSS 9.1). Passing any argument starting with `;` to the API endpoint executes arbitrary OS commands, typically as root. No fix confirmed. Do not expose this server to untrusted inputs or networks. + +**⚠️ CVE-2025-15061 (Jan 2026)**: Critical RCE in Framelink Figma MCP Server (CVSS 9.8). The `fetchWithRetry` method passes unsanitized user input to shell — unauthenticated remote code execution. Update Figma MCP Server to the latest patched version immediately. + +**⚠️ CVE-2026-25253 (OpenClaw, Feb 2026)**: One-click RCE affecting OpenClaw/clawdbot/Moltbot (CVSS 8.8). A malicious link causes OpenClaw to automatically establish a WebSocket to an attacker-controlled server, leaking the auth token — which grants full system control since OpenClaw runs with filesystem and shell access. Over 17,500 internet-exposed instances identified. Update to >= 2026.1.29. + **Source**: [Cymulate EscapeRoute](https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/), [Checkpoint MCPoison](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/), [Cato CurXecute](https://www.catonetworks.com/blog/curxecute-rce/), [SentinelOne CVE-2026-24052](https://www.sentinelone.com/vulnerability-database/cve-2026-24052/), [Flatt Security](https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/), [Penligent AI CVE-2026-0755](https://www.penligent.ai/hackinglabs/de/deep-analysis-of-gemini-mcp-tool-command-injection-cve-2026-0755-when-an-mcp-toolchain-hands-user-input-to-the-shell/), Claude Code CHANGELOG #### Attack Patterns