19% na shahararrun hotunan Docker ba su da tushen kalmar sirri

Asabar da ta gabata, 18 ga Mayu, Jerry Gamblin na Tsaron Kenna duba 1000 daga cikin shahararrun hotuna daga Docker Hub bisa tushen kalmar sirri da suke amfani da su. A cikin 19% na lokuta babu komai.

Bayanan baya tare da Alpine

Dalilin karamin binciken shine Rahoton Ragewar Talos wanda ya bayyana a farkon wannan watan (TALOS-2019-0782), mawallafin wanda - godiya ga binciken Peter Adkins daga Cisco Umbrella - ya ruwaito cewa Hotunan Docker tare da shahararrun rarraba gandun daji na Alpine ba su da kalmar sirri:

“Sifofin hukuma na hotunan Alpine Linux Docker (tun v3.3) sun ƙunshi kalmar sirri NULL don tushen mai amfani. Wannan raunin ya samo asali ne daga koma baya da aka gabatar a cikin Disamba 2015. Mahimmancin wannan shine tsarin da aka tura tare da nau'ikan Alpine Linux masu matsala a cikin akwati da amfani da Linux PAM ko wata hanyar da ke amfani da fayil ɗin inuwar tsarin azaman bayanan tantancewa na iya karɓar kalmar sirri ta NULL don tushen mai amfani. ”

Sifofin Hotunan Docker tare da Alpine da aka gwada don matsalar sun haɗa da 3.3-3.9, da kuma sabon sakin gefen.

Marubutan sun ba da shawara mai zuwa ga masu amfani da abin ya shafa:

"Dole ne a kashe tushen asusun a bayyane a cikin hotunan Docker da aka gina daga nau'ikan matsala na Alpine. Yiwuwar yin amfani da raunin rauni ya dogara da yanayin, tunda nasarar sa yana buƙatar sabis na turawa ko aikace-aikacen ta hanyar amfani da Linux PAM ko wani tsari makamancin haka."

Matsalar ta kasance shafe a cikin nau'ikan Alpine 3.6.5, 3.7.3, 3.8.4, 3.9.2 da gefen (hoton 20190228), kuma an nemi masu hotunan da abin ya shafa su yi sharhi kan layi tare da tushen a ciki. /etc/shadow ko tabbatar da cewa kunshin ya ɓace linux-pam.

Ci gaba da Docker Hub

Jerry Gamblin ya yanke shawarar yin sha'awar "yadda al'adar amfani da kalmomin shiga mara kyau a cikin kwantena na iya kasancewa." Don wannan dalili ya rubuta ƙarami Rubutun Bash, ainihin abin da yake mai sauqi ne:

• ta hanyar buƙatar curl zuwa API a cikin Docker Hub, ana buƙatar jerin hotunan Docker da aka shirya a wurin;
• ta jq ana jerawa ta filin popularity, kuma daga sakamakon da aka samu, dubun farko ya ragu;
• ga kowannensu ya cika docker pull;
• don kowane hoton da aka karɓa daga Docker Hub ana aiwatar da shi docker run tare da karanta layin farko daga fayil ɗin /etc/shadow;
• idan darajar zaren daidai yake da root:::0:::::, an ajiye sunan hoton a cikin wani fayil daban.

Me ya faru? IN wannan fayil Akwai layin 194 tare da sunayen shahararrun hotunan Docker tare da tsarin Linux, wanda tushen mai amfani ba shi da saitin kalmar sirri:

"Daga cikin sanannun sunaye a cikin wannan jerin sune govuk/governmentpaas, hashicorp, microsoft, monsanto da mesosphere. Kuma kylemanna/openvpn ita ce mafi shaharar kwantena a jerin, alkalummanta sun haura sama da miliyan 10.

Ya kamata a tuna, duk da haka, cewa wannan sabon abu a cikin kanta ba yana nufin rashin lahani kai tsaye a cikin tsaro na tsarin da ke amfani da su ba: duk ya dogara da yadda ake amfani da su daidai. (duba sharhi daga shari'ar Alpine da ke sama). Duk da haka, mun ga "ɗabi'ar labari" sau da yawa: sauƙaƙan bayyane sau da yawa yana da raguwa, wanda dole ne a tuna da shi koyaushe da sakamakon abin da aka yi la'akari da shi a cikin yanayin aikace-aikacen fasaha na ku.

PS

Karanta kuma a kan shafinmu:

• «Ƙididdiga kan tushen tsarin aiki a cikin hotuna akan Docker Hub";
• «Docker da Kubernetes a cikin wuraren da ake buƙatar tsaro";
• «Rashin lahani CVE-2019-5736 a cikin runc, wanda ke ba ku damar samun tushen haƙƙin mai watsa shiri.";
• «Docker VM mai rauni - inji mai wuyar warwarewa don Docker da pentesting".

source: www.habr.com