open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/security/cve-mitigation-map.md
Kjell Tore Guttormsen 841cd32c66 feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence 
Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 23:58:59 +02:00

101 lines
5.1 KiB
Markdown
Raw Blame History

# CVE-to-Mitigation Map
How Claude Code's architecture and configuration defend against
each OpenClaw CVE disclosed in March 2026. Each row links a
specific vulnerability to the defense mechanism and where it
is configured in this repository.
## Mapping
| CVE | CVSS | Attack | Claude Code defense | Where configured | Defense type |
|-----|------|--------|-------------------|------------------|-------------|
| CVE-2026-22172 | 9.9 | Client self-declares admin scope | Single-user architecture — no scope model, no multi-user auth layer | Architecture (inherent) | Eliminated |
| CVE-2026-25253 | 8.8 | WebSocket hijack (one-click RCE) | No gateway, no listening port, no WebSocket server | Architecture (inherent) | Eliminated |
| CVE-2026-22171 | 8.2 | Arbitrary file write via media path traversal | `pre-write-pathguard.mjs` blocks writes to sensitive paths; settings.json deny list blocks destructive commands | llm-security hook + `.claude/settings.json` | Blocked |
| CVE-2026-32048 | 7.5 | Sandbox child process escape | Scoped Bash permissions (16 specific commands, not `Bash(*)`); `pre-bash-destructive.mjs` blocks dangerous patterns | `.claude/settings.json` allow list + llm-security hook | Blocked |
| CVE-2026-32025 | 7.5 | Brute force on localhost auth | No authentication endpoint — single-user, no network service | Architecture (inherent) | Eliminated |
| CVE-2026-32049 | 7.5 | DoS via oversized media payload | No media ingestion endpoint — files processed locally, no upload handler | Architecture (inherent) | Eliminated |
| CVE-2026-32032 | 7.0 | Shell injection via SHELL env variable | `pre-bash-destructive.mjs` validates commands; scoped Bash permissions restrict allowed executables | llm-security hook + `.claude/settings.json` | Blocked |
| CVE-2026-29607 | 6.4 | Approve-then-swap (approval bypass) | Deterministic hook validation on every call (no cached approvals); `post-mcp-verify.mjs` scans all tool output | llm-security hooks | Blocked |
| CVE-2026-28460 | 5.9 | Line-continuation allowlist bypass | Permission matching in settings.json is not regex-based; hooks validate the actual command, not a display string | `.claude/settings.json` + hooks | Blocked |
## Defense layers
Claude Code's security is layered. No single mechanism is
sufficient alone:
```
Layer 1: Architecture
└─ No gateway, no ports, no multi-user auth
└─ Eliminates: CVE-22172, CVE-25253, CVE-32025, CVE-32049
Layer 2: Permission model (settings.json)
└─ Scoped Bash grants (16 specific commands)
└─ 26-pattern deny list
└─ Write/Edit require explicit user approval
└─ Mitigates: CVE-32048, CVE-28460
Layer 3: Hook enforcement (llm-security plugin)
└─ PreToolUse: block before execution
└─ PostToolUse: scan output after execution
└─ UserPromptSubmit: block prompt injection
└─ Mitigates: CVE-22171, CVE-32032, CVE-29607, CVE-30741
Layer 4: Runtime monitoring (llm-security plugin)
└─ Session guard: sliding window anomaly detection
└─ MCP verify: description drift + volume tracking
└─ Supply chain: package audit on every install
└─ Detects: compound attack chains, slow exfiltration
```
## What this does NOT cover
- **Kernel-level isolation:** NemoClaw (Landlock, seccomp, netns)
provides stronger containment than hooks. Hooks prevent the
agent from *attempting* dangerous operations; kernel isolation
contains the damage if prevention fails.
- **Multi-tenant separation:** Claude Code is single-user. For
multi-tenant scenarios, each user needs their own instance.
- **Network egress filtering:** Claude Code communicates with
Anthropic's API over HTTPS. It does not restrict other outbound
connections. Use OS-level firewall rules for egress control.
## Prompt injection (CVE-2026-30741)
Not in the original 9 CVEs but documented in OpenClaw's security
advisories. The llm-security plugin provides 3-layer defense:
1. **Input scanning** (`pre-prompt-inject-scan.mjs`): Blocks
injection patterns in user prompts before the LLM sees them.
Configurable: block, warn, or off.
2. **Output scanning** (`post-mcp-verify.mjs`): Scans ALL tool
output for injection attempts, HTML content traps, and
suspicious patterns. Catches injection via MCP tool responses.
3. **Session pattern detection** (`post-session-guard.mjs`):
Detects the "lethal trifecta" — untrusted input combined with
sensitive data access and an exfiltration sink — using a
sliding window of 20 tool calls.
## Supply chain (ClawHub malware)
Not a CVE but a documented incident: 824 malicious skills found
in ClawHub marketplace (the ClawHavoc campaign). The llm-security
plugin's `pre-install-supply-chain.mjs` hook covers 7 package
managers with:
- Per-ecosystem blocklists for known malicious packages
- Age gate (packages < 72 hours old are flagged)
- npm audit integration (critical = block, high = warn)
- PyPI API inspection for suspicious metadata
- Levenshtein-based typosquat detection
- OSV.dev batch API for known vulnerabilities
## Sources
CVE data from NVD and OpenClaw security advisories (March 2026).
See `openclaw-security-assessment.md` for full analysis with
statistics and category-by-category comparison.
View git blame Copy permalink