19% o nā kiʻi Docker kaulana loa ʻaʻohe ʻōlelo huna
I ka Poaono i hala, Mei 18, Jerry Gamblin o Kenna Security nānā ʻia 1000 o nā kiʻi kaulana loa mai Docker Hub e pili ana i ka ʻōlelo huna a lākou e hoʻohana ai. I ka 19% o nā hihia ua nele.
Ka hope me ka Alpine
ʻO ke kumu o ka noiʻi liʻiliʻi ʻo ka Talos Vulnerability Report i hōʻike ʻia ma mua o kēia mahina (TALOS-2019-0782), nā mea kākau - mahalo i ka loaʻa ʻana o Peter Adkins mai Cisco Umbrella - hōʻike ʻia nā kiʻi Docker me ka hoʻolaha ipu Alpine kaulana ʻaʻohe ʻōlelo huna.
"ʻO nā mana mana o nā kiʻi Alpine Linux Docker (mai ka v3.3) he ʻōlelo huna NULL no ka mea hoʻohana kumu. Ua loaʻa kēia haʻahaʻa mai kahi regression i hoʻokomo ʻia ma Dekemaba 2015. ʻO ka mea nui o kēia, ʻo nā ʻōnaehana i hoʻopili ʻia me nā ʻano pilikia o Alpine Linux i loko o kahi pahu a me ka hoʻohana ʻana i ka Linux PAM a i ʻole nā hana ʻē aʻe e hoʻohana ana i ka faila shadow system ma ke ʻano he ʻikepili hōʻoia e ʻae i kahi huaʻōlelo NULL no ka mea hoʻohana kumu.
ʻO nā mana o nā kiʻi Docker me Alpine i hoʻāʻo ʻia no ka pilikia ʻo 3.3-3.9 inclusive, a me ka hoʻokuʻu hou ʻana o ka lihi.
Ua hana nā mea kākau i kēia manaʻo no nā mea hoʻohana i hoʻopilikia ʻia:
"Pono e hoʻopau ʻia ka moʻolelo kumu i nā kiʻi Docker i kūkulu ʻia mai nā pilikia pilikia o Alpine. ʻO ka hoʻohana ʻia ʻana o ka nāwaliwali e pili ana i ke kaiapuni, no ka mea, ʻo kona kūleʻa e koi ai i kahi lawelawe i hoʻouna ʻia i waho a i ʻole noi e hoʻohana ana i ka Linux PAM a i ʻole nā mea hana like ʻole. "
ʻO ka pilikia hoʻopau ʻia ma Alpine versions 3.6.5, 3.7.3, 3.8.4, 3.9.2 and edge (20190228 snapshot), a ua noi ʻia nā mea nona nā kiʻi i hoʻopilikia ʻia e haʻi i ka laina me ke aʻa i loko. /etc/shadow a i ʻole e hōʻoia i ka nalo ʻana o ka pūʻolo linux-pam.
Hoʻomau ʻia me Docker Hub
Ua hoʻoholo ʻo Jerry Gamblin e ʻimi e pili ana i ka "pehea ka maʻamau o ka hoʻohana ʻana i nā huaʻōlelo null i loko o nā pahu." No keia kumu, ua kakau iho la oia i kekahi mea liilii Palapala Bash, he mea maʻalahi loa ke kumu o ia mea:
ma o kahi noi curl i ka API ma Docker Hub, ua noi ʻia kahi papa inoa o nā kiʻi Docker i mālama ʻia ma laila;
ma o jq ua waeia ma ke kahua popularity, a mai na hopena i loaa mai, koe ka tausani mua;
no kela mea keia mea, ua hookoia docker pull;
no kēlā me kēia kiʻi i loaʻa mai Docker Hub ua hoʻokō ʻia docker run me ka heluhelu ana i ka laina mua mai ka waihona /etc/shadow;
ina ua like ka waiwai o ke kaula me root:::0:::::, mālama ʻia ka inoa o ke kiʻi ma kahi faila ʻokoʻa.
He aha i hana ai? IN keia waihona Aia nā laina 194 me nā inoa o nā kiʻi Docker kaulana me nā ʻōnaehana Linux, kahi i loaʻa ʻole i ka mea hoʻohana kumu kahi ʻōlelo huna:
"Ma waena o nā inoa kaulana loa ma kēia papa inoa ʻo govuk/governmentpaas, hashicorp, microsoft, monsanto a me mesosphere. A ʻo kylemanna/openvpn ka ipu kaulana loa ma ka papa inoa, ʻoi aku ka nui o kāna helu ma mua o 10 miliona mau huki.
He mea pono e hoʻomanaʻo, akā naʻe, ʻaʻole i manaʻo ʻia kēia ʻano i kahi nāwaliwali pololei i ka palekana o nā ʻōnaehana e hoʻohana nei iā lākou: pili ia i ke ʻano o ka hoʻohana ʻana. (e nānā i ka manaʻo mai ka hihia Alpine ma luna). Eia nō naʻe, ua ʻike mākou i ka "moral of the story" i nā manawa he nui: ʻike pinepine ʻia ka maʻalahi o ka maʻalahi, pono e hoʻomanaʻo mau ʻia a me nā hopena i lawe ʻia i loko o kāu mau hiʻohiʻona noiʻi ʻenehana.