U-19% wezithombe eziphezulu ze-Docker azinayo impande yephasiwedi

NgoMgqibelo odlule, Meyi 18th, uJerry Gamblin weKenna Security kuhloliwe I-1000 yezithombe ezidume kakhulu ezivela ku-Docker Hub ngokusekelwe ku-password yezimpande eziyisebenzisayo. Ezimweni ezingu-19% lalingenalutho.

Ingemuva eline-Alpine

Isizathu socwaningo oluncane bekungumbiko weTalos Vulnerability Report ovele ekuqaleni kwale nyanga (TALOS-2019-0782), ababhali bazo - ngenxa yokutholwa kuka-Peter Adkins wase-Cisco Umbrella - babike ukuthi izithombe ze-Docker ezinokusabalalisa okudumile kwesitsha se-Alpine azinayo impande yephasiwedi:

“Izinguqulo ezisemthethweni zezithombe ze-Alpine Linux Docker (njengoba i-v3.3) ziqukethe iphasiwedi engu-NULL yomsebenzisi oyimpande. Lokhu kuba sengozini kubangelwa ukuhlehla okwethulwe ngoDisemba 2015. Umongo walokhu ukuthi amasistimu asetshenziswe ngezinguqulo eziyinkinga ze-Alpine Linux esitsheni futhi kusetshenziswa i-Linux PAM noma enye indlela esebenzisa ifayela lethunzi lesistimu njengesizindalwazi sokuqinisekisa ingase yamukele iphasiwedi engu-NULL yomsebenzisi oyimpande.”

Izinguqulo zezithombe ze-Docker ezine-Alpine ezihlolelwe inkinga bezingu-3.3–3.9, kanye nokukhishwa kwakamuva konqenqema.

Ababhali benze izincomo ezilandelayo kubasebenzisi abathintekile:

"I-akhawunti yezimpande kufanele ikhutshazwe ngokusobala ezithombeni ze-Docker ezakhiwe ngezinguqulo eziyinkinga ze-Alpine. Ukuxhashazwa okungenzeka kobungozi kuncike endaweni ezungezile, njengoba impumelelo yakho idinga isevisi edluliselwe ngaphandle noma uhlelo olusebenzisa i-Linux PAM noma enye indlela efanayo."

Inkinga yaba kuqedwe kuzinguqulo ze-Alpine 3.6.5, 3.7.3, 3.8.4, 3.9.2 kanye ne-edge (20190228 isifinyezo), futhi abanikazi bezithombe ezithintwe yikho bacelwe ukuthi baphawule ngomugqa onezimpande /etc/shadow noma qiniseka ukuthi iphakheji alikho linux-pam.

Iqhubeka ne-Docker Hub

UJerry Gamblin wanquma ukulangazelela ukwazi “ukuthi uvame kangakanani umkhuba wokusebenzisa amagama ayimfihlo ezitsheni.” Ngale njongo wabhala encane Isikripthi se-Bash, ingqikithi yayo ilula kakhulu:

• ngesicelo se-curl ku-API ku-Docker Hub, uhlu lwezithombe ze-Docker ezisingathwe lapho luyacelwa;
• nge-jq ihlelwa ngenkambu popularity, futhi emiphumeleni etholiwe, inkulungwane yokuqala isasele;
• kulowo nalowo kubo kugcwalisekile docker pull;
• isithombe ngasinye esitholwe ku-Docker Hub siyasetshenziswa docker run ngokufunda umugqa wokuqala efayeleni /etc/shadow;
• uma inani leyunithi yezinhlamvu lilingana ne root:::0:::::, igama lesithombe ligcinwa efayeleni elihlukile.

Kwenzenjani? IN leli fayela Bekunemigqa engu-194 enamagama ezithombe ze-Docker ezidumile ezinezinhlelo ze-Linux, lapho umsebenzisi wempande engenalo isethi yephasiwedi:

“Phakathi kwamagama aziwa kakhulu kulolu hlu bekukhona i-govuk/governmentpaas, i-hashicorp, i-microsoft, i-monsanto ne-mesosphere. Futhi i-kylemanna/openvpn iyisitsha esithandwa kakhulu ohlwini, izibalo zayo zingaphezu kwezigidi eziyi-10 zokudonsa.”

Kuyafaneleka ukukhumbula, nokho, ukuthi lesi simo ngokwaso asisho ukuba sengozini okuqondile ekuvikelekeni kwezinhlelo ezizisebenzisayo: konke kuncike ekutheni zisetshenziswa kanjani. (bona ukuphawula kwecala le-Alpine ngenhla). Kodwa-ke, sikubonile "ukuziphatha kwendaba" izikhathi eziningi: ubulula obusobala buvame ukuba nobubi, okufanele buhlale bukhunjulwa kanye nemiphumela ecatshangelwa ezimeni zakho zohlelo lokusebenza lobuchwepheshe.

PS

Funda futhi kubhulogi yethu:

• «Izibalo zamasistimu okusebenza angaphansi ezithombeni ku-Docker Hub";
• «I-Docker ne-Kubernetes ezindaweni ezizwelayo ezokuphepha";
• «Ukuba sengozini kwe-CVE-2019-5736 ku-runc, okukuvumela ukuthi uthole amalungelo ezimpande kumsingathi";
• «I-Vulnerable Docker VM - umshini obonakalayo wephazili we-Docker kanye ne-pentesting".

Source: www.habr.com