19% o nā kiʻi Docker kaulana loa ʻaʻohe ʻōlelo huna

I ka Poaono i hala, Mei 18, Jerry Gamblin o Kenna Security nānā ʻia 1000 o nā kiʻi kaulana loa mai Docker Hub e pili ana i ka ʻōlelo huna a lākou e hoʻohana ai. I ka 19% o nā hihia ua nele.

Ka hope me ka Alpine

ʻO ke kumu o ka noiʻi liʻiliʻi ʻo ka Talos Vulnerability Report i hōʻike ʻia ma mua o kēia mahina (TALOS-2019-0782), nā mea kākau - mahalo i ka loaʻa ʻana o Peter Adkins mai Cisco Umbrella - hōʻike ʻia nā kiʻi Docker me ka hoʻolaha ipu Alpine kaulana ʻaʻohe ʻōlelo huna.

"ʻO nā mana mana o nā kiʻi Alpine Linux Docker (mai ka v3.3) he ʻōlelo huna NULL no ka mea hoʻohana kumu. Ua loaʻa kēia haʻahaʻa mai kahi regression i hoʻokomo ʻia ma Dekemaba 2015. ʻO ka mea nui o kēia, ʻo nā ʻōnaehana i hoʻopili ʻia me nā ʻano pilikia o Alpine Linux i loko o kahi pahu a me ka hoʻohana ʻana i ka Linux PAM a i ʻole nā ​​hana ʻē aʻe e hoʻohana ana i ka faila shadow system ma ke ʻano he ʻikepili hōʻoia e ʻae i kahi huaʻōlelo NULL no ka mea hoʻohana kumu.

ʻO nā mana o nā kiʻi Docker me Alpine i hoʻāʻo ʻia no ka pilikia ʻo 3.3-3.9 inclusive, a me ka hoʻokuʻu hou ʻana o ka lihi.

Ua hana nā mea kākau i kēia manaʻo no nā mea hoʻohana i hoʻopilikia ʻia:

"Pono e hoʻopau ʻia ka moʻolelo kumu i nā kiʻi Docker i kūkulu ʻia mai nā pilikia pilikia o Alpine. ʻO ka hoʻohana ʻia ʻana o ka nāwaliwali e pili ana i ke kaiapuni, no ka mea, ʻo kona kūleʻa e koi ai i kahi lawelawe i hoʻouna ʻia i waho a i ʻole noi e hoʻohana ana i ka Linux PAM a i ʻole nā ​​​​mea hana like ʻole. "

ʻO ka pilikia hoʻopau ʻia ma Alpine versions 3.6.5, 3.7.3, 3.8.4, 3.9.2 and edge (20190228 snapshot), a ua noi ʻia nā mea nona nā kiʻi i hoʻopilikia ʻia e haʻi i ka laina me ke aʻa i loko. /etc/shadow a i ʻole e hōʻoia i ka nalo ʻana o ka pūʻolo linux-pam.

Hoʻomau ʻia me Docker Hub

Ua hoʻoholo ʻo Jerry Gamblin e ʻimi e pili ana i ka "pehea ka maʻamau o ka hoʻohana ʻana i nā huaʻōlelo null i loko o nā pahu." No keia kumu, ua kakau iho la oia i kekahi mea liilii Palapala Bash, he mea maʻalahi loa ke kumu o ia mea:

• ma o kahi noi curl i ka API ma Docker Hub, ua noi ʻia kahi papa inoa o nā kiʻi Docker i mālama ʻia ma laila;
• ma o jq ua waeia ma ke kahua popularity, a mai na hopena i loaa mai, koe ka tausani mua;
• no kela mea keia mea, ua hookoia docker pull;
• no kēlā me kēia kiʻi i loaʻa mai Docker Hub ua hoʻokō ʻia docker run me ka heluhelu ana i ka laina mua mai ka waihona /etc/shadow;
• ina ua like ka waiwai o ke kaula me root:::0:::::, mālama ʻia ka inoa o ke kiʻi ma kahi faila ʻokoʻa.

He aha i hana ai? IN keia waihona Aia nā laina 194 me nā inoa o nā kiʻi Docker kaulana me nā ʻōnaehana Linux, kahi i loaʻa ʻole i ka mea hoʻohana kumu kahi ʻōlelo huna:

"Ma waena o nā inoa kaulana loa ma kēia papa inoa ʻo govuk/governmentpaas, hashicorp, microsoft, monsanto a me mesosphere. A ʻo kylemanna/openvpn ka ipu kaulana loa ma ka papa inoa, ʻoi aku ka nui o kāna helu ma mua o 10 miliona mau huki.

He mea pono e hoʻomanaʻo, akā naʻe, ʻaʻole i manaʻo ʻia kēia ʻano i kahi nāwaliwali pololei i ka palekana o nā ʻōnaehana e hoʻohana nei iā lākou: pili ia i ke ʻano o ka hoʻohana ʻana. (e nānā i ka manaʻo mai ka hihia Alpine ma luna). Eia nō naʻe, ua ʻike mākou i ka "moral of the story" i nā manawa he nui: ʻike pinepine ʻia ka maʻalahi o ka maʻalahi, pono e hoʻomanaʻo mau ʻia a me nā hopena i lawe ʻia i loko o kāu mau hiʻohiʻona noiʻi ʻenehana.

PS

E heluhelu pū ma kā mākou blog:

• «ʻIkepili ma lalo o nā ʻōnaehana hana i nā kiʻi ma Docker Hub";
• «ʻO Docker a me nā Kubernetes i nā kaiapuni palekana";
• «Vulnerability CVE-2019-5736 i runc, ka mea e hiki ai iā ʻoe ke loaʻa nā kuleana kumu ma ka host.";
• «Vulnerable Docker VM - he mīkini puʻupuʻu puʻupuʻu no Docker a me ka pentesting".

Source: www.habr.com