19% yazithunzi zapamwamba za Docker zilibe mawu achinsinsi

Loweruka lapitalo, May 18th, Jerry Gamblin wa Kenna Security kufufuzidwa Zithunzi 1000 zodziwika kwambiri kuchokera ku Docker Hub kutengera mawu achinsinsi omwe amagwiritsa ntchito. Mu 19% ya milandu inali yopanda kanthu.

Mbiri ndi Alpine

Chifukwa chofufuzira pang'ono chinali Lipoti la Talos Vulnerability Report lomwe lidawonekera koyambirira kwa mwezi uno (TALOS-2019-0782), olemba omwe - chifukwa cha kupezeka kwa Peter Adkins kuchokera ku Cisco Umbrella - adanena kuti zithunzi za Docker zomwe zili ndi malo otchuka a Alpine zilibe mawu achinsinsi:

"Mawonekedwe ovomerezeka a zithunzi za Alpine Linux Docker (popeza v3.3) ali ndi mawu achinsinsi a NULL kwa wogwiritsa ntchito mizu. Kusatetezeka uku kudabwera chifukwa chakuchepa komwe kudachitika mu Disembala 2015. Mfundo yaikulu ya izi ndi yakuti makina omwe akugwiritsidwa ntchito ndi zovuta za Alpine Linux mu chidebe ndikugwiritsa ntchito Linux PAM kapena makina ena omwe amagwiritsa ntchito fayilo yazithunzi ngati malo ovomerezeka angavomereze mawu achinsinsi a NULL kwa wogwiritsa ntchito mizu.

Mitundu ya zithunzi za Docker yokhala ndi Alpine yoyesedwa pavutoli inali 3.3-3.9 kuphatikiza, komanso kutulutsidwa kwaposachedwa kwapamphepete.

Olembawo adapereka malingaliro otsatirawa kwa ogwiritsa ntchito omwe adakhudzidwa:

"Akaunti ya mizu iyenera kuyimitsidwa mwatsatanetsatane pazithunzi za Docker zopangidwa kuchokera kumitundu yovuta ya Alpine. Kugwiritsiridwa ntchito kwachiwopsezo kumadalira chilengedwe, chifukwa kupambana kwake kumafuna ntchito yotumizidwa kunja kapena kugwiritsa ntchito Linux PAM kapena makina ena ofanana. "

Vuto linali kuthetsedwa m'matembenuzidwe a Alpine 3.6.5, 3.7.3, 3.8.4, 3.9.2 ndi m'mphepete (chithunzithunzi cha 20190228), ndipo eni zithunzi zomwe zakhudzidwa adafunsidwa kuti apereke ndemanga pamzere wokhala ndi mizu mkati. /etc/shadow kapena onetsetsani kuti phukusi likusowa linux-pam.

Kupitilira ndi Docker Hub

Jerry Gamblin anaganiza zokhala ndi chidwi chofuna kudziwa “mchitidwe wogwiritsa ntchito mawu achinsinsi opanda pake m’makontena ungakhale wofala motani.” Pachifukwa ichi adalemba pang'ono Bash script, zomwe zili zophweka kwambiri:

• kudzera pa pempho la curl ku API ku Docker Hub, mndandanda wazithunzi za Docker zomwe zasungidwa pamenepo zikufunsidwa;
• kudzera pa jq imasanjidwa ndi gawo popularity, ndipo kuchokera ku zotsatira zopezedwa, chikwi choyamba chitsalira;
• kwa aliyense wa iwo zakwaniritsidwa docker pull;
• pa chithunzi chilichonse cholandilidwa kuchokera ku Docker Hub chimaphedwa docker run powerenga mzere woyamba kuchokera pafayilo /etc/shadow;
• ngati mtengo wa chingwe ndi wofanana ndi root:::0:::::, dzina la chithunzicho limasungidwa mufayilo ina.

Chinachitika ndi chiyani? MU fayilo iyi Panali mizere 194 yokhala ndi mayina azithunzi zodziwika bwino za Docker zokhala ndi makina a Linux, momwe wogwiritsa ntchito mizu alibe mawu achinsinsi:

“Pakati pa mayina odziwika bwino pamndandandawu panali govuk/governmentpaas, hashicorp, microsoft, monsanto ndi mesosphere. Ndipo kylemanna/openvpn ndiye chidebe chodziwika bwino pamndandanda, ziwerengero zake zimakoka zoposa 10 miliyoni. ”

Ndikoyenera kukumbukira, komabe, kuti chodabwitsa ichi pachokha sichikutanthauza chiwopsezo chachindunji mu chitetezo cha machitidwe omwe amawagwiritsa ntchito: zonse zimatengera momwe amagwiritsidwira ntchito. (onani ndemanga kuchokera ku nkhani ya Alpine pamwambapa). Komabe, tawona "makhalidwe a nkhaniyi" nthawi zambiri: kuphweka koonekera nthawi zambiri kumakhala ndi zovuta, zomwe ziyenera kukumbukiridwa nthawi zonse ndi zotsatira zake zomwe zimaganiziridwa muzochitika zanu zaukadaulo.

PS

Werenganinso pa blog yathu:

• «Ziwerengero zamakina ogwiritsira ntchito pazithunzi pa Docker Hub";
• «Docker ndi Kubernetes m'malo osatetezeka";
• «Vulnerability CVE-2019-5736 in runc, yomwe imakupatsani mwayi wopeza ufulu wa mizu pa wolandila";
• «Vulnerable Docker VM - makina owoneka bwino a Docker komanso openyerera".

Source: www.habr.com