Docker Remote 未授权访问漏洞修复方法
Docker Remote 未授权访问漏洞修复方法一、漏洞介绍攻击者通过此漏洞⽆需认证即可访问到Docker数据可能导致敏感信息泄露⿊客也可以删除 Docker上的数据,直接访问宿主机上的敏感 信息或对敏感⽂件进⾏修改。二、漏洞原因docker服务开启了远程访问端口配置dockerd-Htcp://0.0.0.0:2375-Hunix://var/run/docker.sock三、漏洞复现可通过docker命令直接查看容器信息等其他操作docker-Htcp://漏洞docker-ip:2375ps四、漏洞解决本篇主要介绍启用 TLS 认证使用 --tlsverify 等选项这一方式。证书文件生成部分比较繁琐按照以下步骤一步一步做即可1. 创建证书目录并进入执行mkdir-p/etc/docker/certscd/etc/docker/certs2. 生成 CA 私钥不使用密码避免交互执行openssl genrsa-outca-key.pem4096输出Generating RSA private key,4096bit long modulus...................................................................................................... e is65537(0x10001)[rootlocalhost certs]#3. 生成 CA 证书自动填写信息静默完成执行openssl req-new-x509-days3650-keyca-key.pem-sha256-outca.pem-subj/CCN/STBeijing/LBeijing/ODocker/OUCA/CNMyDockerCA输出[rootlocalhost certs]# lsca-key.pem ca.pem4. 生成服务端私钥执行openssl genrsa-outserver-key.pem4096输出Generating RSA private key,4096bit long modulus............................................................................................................................................................................................................ e is65537(0x10001)5. 生成服务端证书请求CSRCN 写你的 Docker 宿主机 IP请把下面的 192.168.1.100 替换成你的真实 IP执行openssl req-subj/CN192.168.247.200-sha256-new-keyserver-key.pem-outserver.csr6. 创建服务端证书扩展文件支持多个访问地址执行catextfile-server.cnfEOF subjectAltName DNS:localhost,IP:192.168.1.100,IP:127.0.0.1 extendedKeyUsage serverAuth EOF注意上面的 192.168.1.100 请替换为你的真实 IP7. 签发服务端证书执行openssl x509-req-days365-sha256-inserver.csr-CAca.pem-CAkeyca-key.pem-CAcreateserial-outserver-cert.pem-extfileextfile-server.cnf输出Signature oksubject/CN192.168.1.100 Getting CA Private Key8. 生成客户端私钥执行openssl genrsa-outkey.pem4096输出Generating RSA private key,4096bit long modulus...................................................................................................................... e is65537(0x10001)9. 生成客户端证书请求执行openssl req-subj/CNclient-new-keykey.pem-outclient.csr无输出10. 创建客户端证书扩展文件执行catextfile-client.cnfEOF extendedKeyUsage clientAuth EOF11. 签发客户端证书执行openssl x509-req-days365-sha256-inclient.csr-CAca.pem-CAkeyca-key.pem-CAcreateserial-outcert.pem-extfileextfile-client.cnf输出Signature oksubject/CNclient Getting CA Private Key全部文件[rootlocalhost certs]# lltotal44-rw-r--r--.1root root3243Apr2401:51 ca-key.pem -rw-r--r--.1root root2004Apr2401:52 ca.pem -rw-r--r--.1root root17Apr2401:53 ca.srl -rw-r--r--.1root root1814Apr2401:53 cert.pem -rw-r--r--.1root root1582Apr2401:53 client.csr -rw-r--r--.1root root30Apr2401:53 extfile-client.cnf -rw-r--r--.1root root93Apr2401:52 extfile-server.cnf -rw-r--r--.1root root3243Apr2401:53 key.pem -rw-r--r--.1root root1874Apr2401:53 server-cert.pem -rw-r--r--.1root root1594Apr2401:52 server.csr -rw-r--r--.1root root3243Apr2401:52 server-key.pem12. 删除临时文件执行rm-vclient.csr server.csr extfile-server.cnf extfile-client.cnf输出rm: remove regularfile‘client.csr’? y removed ‘client.csr’ rm: remove regularfile‘server.csr’? y removed ‘server.csr’ rm: remove regularfile‘extfile-server.cnf’? y removed ‘extfile-server.cnf’ rm: remove regularfile‘extfile-client.cnf’? y removed ‘extfile-client.cnf’13. 设置私钥权限仅所有者可读chmod0400 ca-key.pem server-key.pem key.pemchmod0444 ca.pem server-cert.pem cert.pem14. 查看生成的文件最终文件[rootlocalhost certs]# lltotal28-r--------.1root root3243Apr2401:51 ca-key.pem -r--r--r--.1root root2004Apr2401:52 ca.pem -rw-r--r--.1root root17Apr2401:53 ca.srl -r--r--r--.1root root1814Apr2401:53 cert.pem -r--------.1root root3243Apr2401:53 key.pem -r--r--r--.1root root1874Apr2401:53 server-cert.pem -r--------.1root root3243Apr2401:52 server-key.pem至此证书TLS相关操作已完成接下来配置docker参数15. docker配置文件添加配置/etc/docker/daemon.json (没有就新建) 添加以下配置{tlsverify:true,tlscacert:/etc/docker/certs/ca.pem,tlscert:/etc/docker/certs/server-cert.pem,tlskey:/etc/docker/certs/server-key.pem}16. 重启dockersystemctl daemon-reload systemctl restartdocker17. 验证找一台其它docker机器远程访问一下目标docker即可或者浏览器直接输入192.168.1.100:2375/info浏览器会输出Client sent an HTTP request to an HTTPS server.正确访问方式docker--tlsverify--tlscacert/etc/docker/certs/ca.pem--tlscert/etc/docker/certs/cert.pem--tlskey/etc/docker/certs/key.pem-Htcp://172.28.112.143:2375 version证书文件正确的话可以正常输出信息否则输出Client sent an HTTP request to an HTTPS server.