k8s安全测评毛病:SSL/TLS协议信息泄漏毛病(CVE-2016-2183)
一、题目复现毛病详细信息:
https://img-blog.csdnimg.cn/direct/5b7ea36550374d4081d69ffb14f4b153.png
毛病概况:
https://img-blog.csdnimg.cn/direct/0254c898f23f4b18af1aaf7c0fd0366e.png
毛病原因:
k8s组件使用了IDEA、DES和3DES等算法,修改设置文件禁用上述算法即可。
复现方法:
服务器上安装nmap:
#官网下载:https://nmap.org/dist/nmap-7.93-1.x86_64.rpm,上传后安装:
rpm -ivh nmap-7.93-1.x86_64.rpm
#执行检测
nmap --script ssl-enum-ciphers -p 10250 10.165.3.45
Nmap scan report for yfdxvm000003164.novalocal (10.165.3.45)
Host is up (0.000066s latency).
PORT STATE SERVICE
10250/tcp openunknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| cipher preference: server
|_least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds 扫描结果重点关注warnings,64-bit block cipher 3DES vulnerable to SWEET32 attack,毛病修复成功则没有该项提示。
二、毛病修复
k8s主节点:
etcd修复:
修改设置文件/etc/kubernetes/manifests/etcd.yaml,增加如下设置:
--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
增加后的截图:
https://img-blog.csdnimg.cn/direct/4ec975c298ce470587eb02847598d396.png
增加后etcd毛病即修复成功
nmap --script ssl-enum-ciphers -p 2380 10.165.3.45
可以看到没有了warnings这项了
kube-apiserver修复:
修改设置文件/etc/kubernetes/manifests/kube-apiserver.yaml,增加一行:
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
如图所示:
https://img-blog.csdnimg.cn/direct/5bd12909211945ddb16024f5a56f9a6d.png
增加后kube-apiserver毛病即修复成功
nmap --script ssl-enum-ciphers -p 6443 10.165.3.45
可以看到没有了warnings这项了
修复kubelet:
修改设置文件/var/lib/kubelet/config.yaml,增加一行设置:
tlsCipherSuites:
如图所示:
https://img-blog.csdnimg.cn/direct/bf95d184b8c344a4817c82ec73fe2356.png
重启服务:
systemctl restart kubelet
在执行检查
nmap --script ssl-enum-ciphers -p 10250 10.165.3.45
可以看到没有了warnings这项了
k8s从节点:
只须要修复最后一项即可
修复kubelet:
修改设置文件/var/lib/kubelet/config.yaml,增加一行设置:
tlsCipherSuites:
如图所示:
https://img-blog.csdnimg.cn/direct/bf95d184b8c344a4817c82ec73fe2356.png
重启服务:
systemctl restart kubelet
在执行检查
nmap --script ssl-enum-ciphers -p 10250 10.165.3.45
可以看到没有了warnings这项了
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]