Mugovera wapfuura, Chivabvu 18th, Jerry Gamblin weKenna Security
Kumashure neAlpine
Chikonzero cheiyo mini-tsvakurudzo yaive iyo Talos Vulnerability Report yakaonekwa kutanga kwemwedzi uno (
"Mharidzo dzepamutemo dzeAlpine Linux Docker mifananidzo (sezvo v3.3) ine NULL password yemudzi mushandisi. Kusagadzikana uku kwakakonzerwa nekudzoreredzwa kwakatangwa muna Zvita 2015. Mhedziso yeiyi ndeyekuti masisitimu akaiswa ane dambudziko shanduro dzeAlpine Linux mumudziyo uye kushandisa Linux PAM kana imwe nzira inoshandisa iyo system shadow faira sedhatabhesi yekusimbisa inogona kugamuchira NULL password yemudzi mushandisi.
Idzi shanduro dzeDocker mifananidzo ine Alpine yakaedzwa dambudziko yaive 3.3-3.9 inosanganisirwa, pamwe nekuburitswa kwekupedzisira.
Vanyori vakaita kurudziro inotevera kune vashandisi vakakanganisika:
"Iyo midzi account inofanirwa kuvharwa zvakajeka muDocker mifananidzo yakavakwa kubva kune zvinetswa shanduro dzeAlpine. Iko kushandiswa kwekusagadzikana kunoenderana nenharaunda, sezvo kubudirira kwayo kuchida sevhisi inotumirwa kunze kana kushandisa uchishandisa Linux PAM kana imwe nzira yakafanana."
Dambudziko raivepo /etc/shadow
kana kuona kuti pasuru yacho haipo linux-pam
.
Kuenderera mberi neDocker Hub
Jerry Gamblin akasarudza kuda kuziva nezve "maitiro ekushandisa mapassword asina maturo mumidziyo angangove akajairika." Nechinangwa ichi akanyora diki
- kuburikidza nechikumbiro che curl kune API muDocker Hub, rondedzero yeDocker mifananidzo yakabatwa ipapo inokumbirwa;
- kuburikidza nejq inorongwa nemunda
popularity
, uye kubva pamibayiro yawawana, churu chokutanga chinosara; - kune umwe neumwe wavo zvinozadziswa
docker pull
; - yemufananidzo wega wega wakagamuchirwa kubva kuDocker Hub unourayiwa
docker run
nekuverenga mutsara wekutanga kubva pafaira/etc/shadow
; - kana kukosha kwetambo kwakaenzana ne
root:::0:::::
, zita remufananidzo rinochengetwa mune imwe faira.
Chii chaitika? IN
βPakati pemazita anonyanyozivikanwa paiyi rondedzero paive govuk/governmentpaas, hashicorp, microsoft, monsanto nemesosphere. Uye kylemanna/openvpn ndiro ndiro rine mukurumbira pane rondedzero, nhamba dzayo dzinopfuura mamirioni gumi.
Zvakakosha kuyeuka, zvisinei, kuti chiitiko ichi pachacho hachirevi kukanganisa kwakananga mukuchengetedzeka kwemasisitimu anoashandisa: zvese zvinoenderana nekuti anoshandiswa sei chaizvo. (ona mhinduro kubva kuAlpine kesi pamusoro). Nekudaro, isu takaona "hutsika hwenyaya" kakawanda: zviri pachena zviri nyore kazhinji zvine zvakaderera, izvo zvinofanirwa kugara zvichiyeukwa uye mhedzisiro yacho inotariswa mune yako tekinoroji yekushandisa mamiriro.
PS
Verenga zvakare pablog yedu:
- Β«
Statistics pane aripasi anoshanda masisitimu mumifananidzo paDocker Hub "; - Β«
Docker uye Kubernetes munzvimbo dzekuchengetedza-dzinonzwa "; - Β«
Vulnerability CVE-2019-5736 murunc, iyo inokutendera iwe kuti uwane kodzero dzemidzi pane anotambira "; - Β«
Vulnerable Docker VM - chaiyo pikicha yeDocker uye pentesting ".
Source: www.habr.com