19% yemifananidzo yepamusoro yeDocker haina mudzi password

Mugovera wapfuura, Chivabvu 18th, Jerry Gamblin weKenna Security checked 1000 yemifananidzo inonyanya kufarirwa kubva kuDocker Hub zvichibva pamidzi password yavanoshandisa. Mu19% yezviitiko zvaive zvisina chinhu.

Kumashure neAlpine

Chikonzero cheiyo mini-tsvakurudzo yaive iyo Talos Vulnerability Report yakaonekwa kutanga kwemwedzi uno (TALOS-2019-0782), vanyori vayo - nekuda kwekuwanikwa kwaPeter Adkins kubva kuCisco Umbrella - yakashuma kuti Docker mifananidzo ine inozivikanwa Alpine mudziyo kugovera haina midzi password:

"Mharidzo dzepamutemo dzeAlpine Linux Docker mifananidzo (sezvo v3.3) ine NULL password yemudzi mushandisi. Kusagadzikana uku kwakakonzerwa nekudzoreredzwa kwakatangwa muna Zvita 2015. Mhedziso yeiyi ndeyekuti masisitimu akaiswa ane dambudziko shanduro dzeAlpine Linux mumudziyo uye kushandisa Linux PAM kana imwe nzira inoshandisa iyo system shadow faira sedhatabhesi yekusimbisa inogona kugamuchira NULL password yemudzi mushandisi.

Idzi shanduro dzeDocker mifananidzo ine Alpine yakaedzwa dambudziko yaive 3.3-3.9 inosanganisirwa, pamwe nekuburitswa kwekupedzisira.

Vanyori vakaita kurudziro inotevera kune vashandisi vakakanganisika:

"Iyo midzi account inofanirwa kuvharwa zvakajeka muDocker mifananidzo yakavakwa kubva kune zvinetswa shanduro dzeAlpine. Iko kushandiswa kwekusagadzikana kunoenderana nenharaunda, sezvo kubudirira kwayo kuchida sevhisi inotumirwa kunze kana kushandisa uchishandisa Linux PAM kana imwe nzira yakafanana."

Dambudziko raivepo kubviswa muAlpine shanduro 3.6.5, 3.7.3, 3.8.4, 3.9.2 uye edge (20190228 snapshot), uye varidzi vemifananidzo yakakanganisika vakakumbirwa kuti vataure mutsetse une midzi mukati. /etc/shadow kana kuona kuti pasuru yacho haipo linux-pam.

Kuenderera mberi neDocker Hub

Jerry Gamblin akasarudza kuda kuziva nezve "maitiro ekushandisa mapassword asina maturo mumidziyo angangove akajairika." Nechinangwa ichi akanyora diki Bash script, iyo yakakosha iyo iri nyore kwazvo:

• kuburikidza nechikumbiro che curl kune API muDocker Hub, rondedzero yeDocker mifananidzo yakabatwa ipapo inokumbirwa;
• kuburikidza nejq inorongwa nemunda popularity, uye kubva pamibayiro yawawana, churu chokutanga chinosara;
• kune umwe neumwe wavo zvinozadziswa docker pull;
• yemufananidzo wega wega wakagamuchirwa kubva kuDocker Hub unourayiwa docker run nekuverenga mutsara wekutanga kubva pafaira /etc/shadow;
• kana kukosha kwetambo kwakaenzana ne root:::0:::::, zita remufananidzo rinochengetwa mune imwe faira.

Chii chaitika? IN iyi faira Paive nemitsara ye194 ine mazita emifananidzo yakakurumbira yeDocker ine Linux masisitimu, umo mudzi mushandisi haana password set:

“Pakati pemazita anonyanyozivikanwa paiyi rondedzero paive govuk/governmentpaas, hashicorp, microsoft, monsanto nemesosphere. Uye kylemanna/openvpn ndiro ndiro rine mukurumbira pane rondedzero, nhamba dzayo dzinopfuura mamirioni gumi.

Zvakakosha kuyeuka, zvisinei, kuti chiitiko ichi pachacho hachirevi kukanganisa kwakananga mukuchengetedzeka kwemasisitimu anoashandisa: zvese zvinoenderana nekuti anoshandiswa sei chaizvo. (ona mhinduro kubva kuAlpine kesi pamusoro). Nekudaro, isu takaona "hutsika hwenyaya" kakawanda: zviri pachena zviri nyore kazhinji zvine zvakaderera, izvo zvinofanirwa kugara zvichiyeukwa uye mhedzisiro yacho inotariswa mune yako tekinoroji yekushandisa mamiriro.

PS

Verenga zvakare pablog yedu:

• «Statistics pane aripasi anoshanda masisitimu mumifananidzo paDocker Hub";
• «Docker uye Kubernetes munzvimbo dzekuchengetedza-dzinonzwa";
• «Vulnerability CVE-2019-5736 murunc, iyo inokutendera iwe kuti uwane kodzero dzemidzi pane anotambira";
• «Vulnerable Docker VM - chaiyo pikicha yeDocker uye pentesting".

Source: www.habr.com