《cncf-seccon-na-2023-unpacking-open-source-security-in-public-repos-and-registries-final.pdf》由会员分享,可在线阅读,更多相关《cncf-seccon-na-2023-unpacking-open-source-security-in-public-repos-and-registries-final.pdf(32页珍藏版)》请在三个皮匠报告上搜索。
1、Unpacking Open Source Security in Public Repos&RegistriesCraig Box VP OSS and Ben Hirschberg CTOBen Hirschberg Co-founder&CTO ARMOKubescape maintainerWhitehat in the past(unofficially still;-)Fluent in Hebrew,Hungarian,C,ASM and Go(not English)Contributor in CNCF+organizer of CNCF JerusalemFather of
2、 4 3/who_am_iBen Hirschbergslashben81Ben- point_Kubescape is here to tell you whats wrongWith YAML/Helm charts in your Git repositories and CI processesIn your clustersIn your container registriesMore important to tell how to fix and prioritization of the issuesARMO Platform is a cloud service(beyon
3、d other things)storing KS resultsSecurity issuesVulnerabilitiesGIT repositoriesContainer registries179Registries43,539Images1,914Repositories164,887Files scanned/Container image scansComparing the whole sample to the sub-sample of graduated projectsReviewing thedistribution of severitiesReviewing to
4、p CVEs in bothTime of publishing fixesRelevancy/Image repos with most scans in the general sampleTop count of repo#workload image scansquay.io/argoproj/argocd19,426docker.io/bitnami/redis13,308quay.io/argoproj/argoexec11,427quay.io/prometheus-operator/prometheus-config-reloader11,275quay.io/kiwigrid
5、/k8s-sidecar6,581quay.io/prometheus/prometheus6,390docker.io/bitnami/mongodb6,312quay.io/prometheus/node-exporter5,569gcr.io/datadoghq/agent5,404/Image tags with most scans in the graduated sampleTop count of repo#workload image scansquay.io/argoproj/argocd19,426quay.io/argoproj/argoexec11,427quay.i
6、o/prometheus-operator/prometheus-config-reloader11,275quay.io/prometheus/prometheus6,390quay.io/prometheus/node-exporter5,569quay.io/prometheus/alertmanager4,172quay.io/prometheus-operator/prometheus-operator4,088registry.k8s.io/kube-proxy3,530registry.k8s.io/kube-state-metrics/kube-state-metrics3,0
7、39/Comparison_NegligibleMediumHighLowCriticalOther/TOP vulnerabilities in general population_/CVE-2022-28391CVSS vector:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HDescription:BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR records value to a VT
8、compatible terminal.Alternatively,the attacker could choose to change the terminals colors.Cloud native environment:If someone is running netstat in a Pod from a terminal while the attack controls the DNS entry the terminal is prone to the attack.Not a common scenario./CVE-2021-33560CVSS vector:AV:N
9、/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NDescription:Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm,and the window size is not chosen appropriately.This,for example,affects use of ElGamal in OpenP
10、GP.Cloud native environment:Libgcrypt is around in many images for GPG signature verification of APT/YUM packages.It is mostly not in use during deployment+uo private key in the image/CVE-2019-8457CVSS vector:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDescription:SQLite3 from 3.6.0 to and including 3.27.2 i
11、s vulnerable to heap out-of-bound read in the rtreenode()function when handling invalid rtree tables.Cloud native environment:If the attacker can inject arbitrary SQL statements then the attacker can get arbitrary code execution.SQLite is part of Centos/RH base images./Opinion:these are the vulnerab
12、ilities has some probability above 0.1*to be exploited*gut feeling:-/TOP vulnerabilities in graduated projects/CVE-2015-5237CVSS vector:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HDescription:protobuf allows remote authenticated attackers to cause a heap-based buffer overflowCloud native environment:It is in
13、deed a vulnerability in protobuf C/C+package.But not in the Golang package!https:/ are the vulnerabilities has some probability above 0.1*to be exploited*gut feeling:-/Looking only at filtered results_HighCriticalMediumLowNegligibleOtherAverage vulnerability count per severity/Image vulnerability re
14、levancyVulnerability in imageWorkload exploit/Kubescape sneeffer resultsrelevant/Kubescape SneefferRedis SBOM(full)Files actually used by the containerRedis SBOM(filtered)Vulnerability scannerScan image eBPF Compare against SBOM Feed to Vulnerability scanner https:/ only at filtered results_HighCrit
15、icalMediumLowNegligibleOtherAverage relevant vulnerability count per severity/Explaining the numbers/Git repository scans_Comparing the whole sample to the sub-sample of graduated projectsReviewing the distribution of controlsEvaluating the the number of failed controls ratio/Most failed in general
16、population_/Most failed among graduated projects_/Percent of controls failing_Control failure ratio=Failed controls:all relevant controls(per resource)General sampleGraduated projects sample38%35%/Closing thoughts_VulnerabilitiesHard to clearly say that CNCF Graduated projects are less vulnerableVulnerability scan results are like have million problemsGenerally,newer technologies and languages covering low some hanging security fruitsMisconfigurationsGraduated projects has a slightly better security postureMany still prone to simple issuesThank you_