- 云原生安全:攻防實踐與體系構建
- 劉文懋 江國龍 浦明 阮博男 葉曉虎
- 550字
- 2021-11-04 18:12:36
4.3.4 漏洞修復
官方針對此漏洞的補丁[1]很容易理解,即在API Server中增加了對后端服務器(如Kubelet)返回值的判斷:
//determine the http response code from the backend by reading from
rawResponse+backendConn
rawResponseCode, headerBytes, err := getResponseCode(io.MultiReader(bytes.
NewReader(rawResponse), backendConn))
//...
if rawResponseCode != http.StatusSwitchingProtocols {
//If the backend did not upgrade the request, finish echoing the response
from the backend to the client and return, closing the connection.
glog.V(6).Infof("Proxy upgrade error, status code %d", rawResponseCode)
_, err := io.Copy(requestHijackedConn, backendConn)
if err != nil && !strings.Contains(err.Error(), "use of closed network
connection") {
glog.Errorf("Error proxying data from backend to client: %v", err)
}
//Indicate we handled the request
return true
}
//...
//getResponseCode reads a http response from the given reader, returns the
status code,
//the bytes read from the reader, and any error encountered
func getResponseCode(r io.Reader) (int, []byte, error) {
rawResponse := bytes.NewBuffer(make([]byte, 0, 256))
//Save the bytes read while reading the response headers into the rawResponse
buffer
resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)),
nil)
if err != nil {
return 0, nil, err
}
//return the http status code and the raw bytes consumed from the reader in
the process
return resp.StatusCode, rawResponse.Bytes(), nil
}
增加的邏輯會判斷后端返回碼是否等于http.StatusSwitchingProtocols(即101狀態碼)。如果不等,則直接返回,關閉連接;只有在相等的情況下,代理通道才會建立。
這樣一來,第一步中攻擊者以出錯方式調用/api/v1/namespaces/{namespace}/pods/{pod}/exec來建立到Kubelet的通道的嘗試就會失敗,后續攻擊自然無法展開。
CVE-2018-1002105是云原生環境下少見的高危漏洞之一,CVSS 3.x評分達到了9.8,而2019年流傳甚廣的runC漏洞CVE-2019-5736的CVSS 3.x評分也不過8.6,其嚴重性可見一斑。這樣一個漏洞,輕則泄露數據,重則允許攻擊者接管集群。
更加值得注意的是,漏洞的觸發過程完全在RESTful API層面進行,其行為特征并不明顯,日志排查難度也很高。因此,除了及時更新補丁外,如何有效檢測這一類隱蔽性高的云原生安全漏洞的利用行為,或進一步而言,如何針對云原生環境建立有效的API異常檢測系統,是需要云安全從業者認真考慮的問題。
[1] https://github.com/kubernetes/kubernetes/pull/71412/commits/b84e3dd6f80af4016acfd891ef6cc50ce05d4b5b。
推薦閱讀