Zindikirani. transl.: Olemba nkhaniyi akufotokoza mwatsatanetsatane za momwe adakwanitsira kuzindikira kusatetezeka CVE-2020-8555 ku Kubernetes. Ngakhale poyamba sizinawoneke zowopsa kwambiri, kuphatikiza ndi zinthu zina zovuta zake zidakhala zazikulu kwa ena opereka mtambo. Mabungwe angapo anapereka mowolowa manja mphoto kwa akatswiriwa chifukwa cha ntchito yawo.
Ndife ndani
Ndife awiri ofufuza zachitetezo aku France omwe adapeza pamodzi chiwopsezo ku Kubernetes. Mayina athu ndi Brice Augras ndi Christophe Hauquiert, koma pamapulatifomu ambiri a Bug Bounty timadziwika kuti Reeverzax ndi Hach motsatana:
Mukakhazikitsa gulu la Kubernetes pamalo otero, kusanja koyang'anira nthawi zambiri kumakhala udindo wa opereka mtambo:
Gawo lowongolera lili pamtunda wa operekera mtambo, pomwe ma node a Kubernetes ali pafupi ndi kasitomala.
Kuti mugawire ma voliyumu mwamphamvu, makina amagwiritsidwa ntchito kuti azitha kuwapereka kuchokera kumalo osungira akunja ndikuwayerekeza ndi PVC (kudandaula kwa voliyumu kosalekeza, mwachitsanzo, pempho la voliyumu).
Chifukwa chake, PVC itapangidwa ndikumangika ku StorageClass mugulu la K8s, zochita zina zoperekera voliyumu zimatengedwa ndi woyang'anira kube / mtambo (dzina lake lenileni limadalira kumasulidwa). (Zindikirani. transl.: Talemba kale zambiri za CCM pogwiritsa ntchito chitsanzo cha kukhazikitsidwa kwake kwa mmodzi wa opereka mitambo apa.)
Pali mitundu ingapo ya othandizira omwe amathandizidwa ndi Kubernetes: ambiri aiwo akuphatikizidwa orchestrator pachimake, pamene zina zimayendetsedwa ndi zowonjezera zowonjezera zomwe zimayikidwa m'magulu amagulu.
Mwachidule, Kubernetes akayikidwa pamalo oyendetsedwa, woyang'anira woyang'anira ndi udindo wa wopereka mtambo, koma pempho lopanga voliyumu (nambala 3 pa chithunzi pamwambapa) limasiya netiweki yamkati ya opereka mtambo. Ndipo apa ndi pamene zinthu zimakhala zosangalatsa kwambiri!
Kunyengerera kumodzi kosavuta (pankhaniyi, Service Side Request Forgery) kunathandizira kupyola malo a kasitomala kukhala magulu a opereka chithandizo osiyanasiyana omwe amayendetsedwa ndi K8.
Pakufufuza kwathu tidayang'ana kwambiri wopereka GlusterFS. Ngakhale kuti kutsatizana kwinanso kwafotokozedwa m'nkhaniyi, Quobyte, StorageOS ndi ScaleIO ali pachiopsezo chomwecho.
Kugwiritsa ntchito molakwika makina operekera voliyumu
Pa kusanthula kalasi yosungirako GlusterFS mu Golang kasitomala source code ife zindikiranikuti pa pempho loyamba la HTTP (3) lomwe linatumizidwa panthawi yopanga voliyumu, mpaka kumapeto kwa ulalo wachizolowezi mu parameter resturl anawonjezera /volumes.
Tinaganiza zochotsa njira yowonjezera iyi powonjezera # mu parameter resturl. Nayi kasinthidwe koyamba kwa YAML komwe tidayesa kuyesa kusatetezeka kwa SSRF (mutha kuwerenga zambiri za semi-blind kapena theka-blind SSRF, mwachitsanzo, apa - pafupifupi. transl.):
Mwanjira iyi, tinali ochepa ku mafunso ngati HTTP POST ndipo sanathe kupeza zomwe zili mu bungwe loyankhira ngati code yobwereza inali 201. Chifukwa chake, tidaganiza zopanga kafukufuku wowonjezera ndikukulitsa izi ndi njira zatsopano.
Kusintha kwa kafukufuku wathu
Advanced Scenario #1: Kugwiritsa ntchito 302 kutumiziranso kuchokera ku seva yakunja kuti musinthe njira ya HTTP kuti mupereke njira yosinthira yosonkhanitsira deta yamkati.
Nkhani Yotsogola #2: Yambitsani kusanthula kwa LAN ndikupeza zida zamkati.
Zochitika zapamwamba #3: kugwiritsa ntchito kuzembetsa kwa HTTP CRLF + ("kupempha kuzembetsa") kuti mupange zopempha za HTTP zofananira ndikupezanso zomwe zachotsedwa pazipika za kube-controller.
Mfundo Zaukadaulo
Kafukufukuyu adagwiritsa ntchito Azure Kubernetes Service (AKS) yokhala ndi Kubernetes mtundu 1.12 kudera la North Europe.
Zomwe tafotokozazi zidachitika pazotulutsa zaposachedwa za Kubernetes, kupatula zochitika zachitatu, chifukwa. amafunikira Kubernetes yomangidwa ndi mtundu wa Golang β€ 1.12.
Seva yakunja ya Attacker - https://attacker.com.
Nkhani Yotsogola #1: Kuwongolera pempho la HTTP POST kuti GET ndi kulandira deta yovuta
Njira yoyambirira idawongoleredwa ndi kasinthidwe ka seva ya wowukirayo kuti ibwerere 302 HTTP Retcodekuti mutembenuzire pempho la POST kukhala pempho la GET (gawo 4 pajambula):
Pempho loyamba (3) lochokera kwa kasitomala GlusterFS (Woyang'anira Woyang'anira), ali ndi mtundu wa POST. Potsatira izi tidatha kusintha kukhala GET:
Monga parameter resturl mu StorageClass zikuwonetsedwa http://attacker.com/redirect.php.
Mapeto https://attacker.com/redirect.php imayankha ndi 302 HTTP code code yokhala ndi Malo Otsatirawa: http://169.254.169.254. Izi zitha kukhala zina zilizonse zamkati - pakadali pano, ulalo wowongolera umagwiritsidwa ntchito ngati chitsanzo.
zotsatira net/http laibulale Golang amalozeranso pempholi ndikusintha POST kukhala GET yokhala ndi khodi ya 302, zomwe zimapangitsa pempho la HTTP GET kuzinthu zomwe mukufuna.
Kuti muwerenge gulu la mayankho a HTTP muyenera kuchita describe PVC chinthu:
kubectl describe pvc xxx
Nachi chitsanzo cha mayankho a HTTP mumtundu wa JSON omwe tidatha kulandira:
Kuthekera kwa kusatetezeka komwe kunapezeka panthawiyo kunali kochepa chifukwa cha izi:
Kulephera kuyika mitu ya HTTP pazopempha zomwe zatuluka.
Kulephera kuchita pempho la POST ndi magawo m'thupi (izi ndizosavuta kufunsa mtengo wofunikira kuchokera pa etcd zomwe zikuyenda 2379 doko ngati HTTP yosasungidwa ikugwiritsidwa ntchito).
Powona kuti njira yojambulira zidayi ndi yodziwika bwino ndipo siyigwirizana ndi makina ojambulira akale ndi zida za SSRF, tidaganiza zopanga antchito athu mu bash script yomwe imagwiritsa ntchito njira yonseyo.
Mwachitsanzo, kuti mufufuze mwachangu mitundu 172.16.0.0/12 ya netiweki yamkati, ogwira ntchito 15 adakhazikitsidwa mofanana. Mtundu wa IP womwe uli pamwambapa wasankhidwa ngati chitsanzo chokha ndipo ukhoza kusinthidwa kukhala mtundu wa IP wa omwe akukupatsani.
Kuti muwone adilesi imodzi ya IP ndi doko limodzi, muyenera kuchita izi:
Zotsatira zake ndi zolakwika kuyankha mosafunsidwa, uthenga womwe umalembedwa muzolemba zowongolera. Chifukwa cha verbosity yomwe yathandizidwa mwachisawawa, zomwe zili mu uthenga wa HTTP zimasungidwanso pamenepo.
Ichi chinali "nyambo" yathu yothandiza kwambiri mkati mwa umboni wa lingaliro.
Pogwiritsa ntchito njirayi, tidatha kuchita zina mwazotsatira zamagulu a opereka ma k8 osiyanasiyana omwe amayendetsedwa: kukwera kwamwayi ndi zidziwitso pazochitika za metadata, Master DoS kudzera (zosalemba) HTTP zopempha pa etcd master zochitika, ndi zina zotero.
Zotsatira
M'mawu ovomerezeka a Kubernetes okhudzana ndi chiwopsezo cha SSRF chomwe tidapeza, adavotera CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Ngati tingoganizira za chiwopsezo chokhudzana ndi perimeter ya Kubernetes, vekitala ya chilungamo (Vector ya chilungamo) ikuyenerera ngati palibe.
Komabe, kuwunika zotsatira zomwe zingatheke poyang'anira malo ogwirira ntchito (ndipo iyi inali gawo losangalatsa kwambiri la kafukufuku wathu!) Zovuta CVSS10/10 kwa ogawa ambiri.