gcloud-gke-secrets-encryption-disabled: GKE Clusters Without Application-Layer Secrets Encryption

漏洞描述

Ensure that encryption of Kubernetes secrets with Customer-Managed Keys (CMKs) is enabled for your Google Kubernetes Engine (GKE) clusters. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using the Cloud KMS service, providing an additional layer of security for sensitive data.

PoC代码[已公开]

id: gcloud-gke-secrets-encryption-disabled

info:
  name: GKE Clusters Without Application-Layer Secrets Encryption
  author: princechaddha
  severity: high
  description: |
    Ensure that encryption of Kubernetes secrets with Customer-Managed Keys (CMKs) is enabled for your Google Kubernetes Engine (GKE) clusters. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using the Cloud KMS service, providing an additional layer of security for sensitive data.
  impact: |
    Without application-layer secrets encryption enabled, sensitive data stored in Kubernetes secrets is not protected against attackers who gain access to etcd backups or offline copies, potentially exposing confidential information.
  remediation: |
    Enable application-layer secrets encryption for your GKE clusters using Cloud KMS Customer-Managed Keys (CMKs):
    gcloud container clusters update CLUSTER_NAME --database-encryption-key=projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY
  reference:
    - https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-application-layer-secrets-encryption.html
  tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,encryption,secrets,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let cluster of iterate(template.clusters)){
      cluster = JSON.parse(cluster)
      set("clusterName", cluster.name)
      set("location", cluster.location)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud container clusters list --project $projectId --format="json(name,location)"

    extractors:
      - type: json
        name: clusters
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gcloud container clusters describe $clusterName --location $location --project $projectId --format="yaml(databaseEncryption.keyName,conditions)"

    matchers:
      - type: word
        words:
          - "null"

    extractors:
      - type: dsl
        dsl:
          - '"GKE cluster " + clusterName + " in " + location + " of project " + projectId + " does not have application-layer secrets encryption enabled"'
# digest: 490a0046304402202771045ec2b4bbcbf932e03260b3e82aea3dd85078ff66c68cd5b58344a6d71e02207cdb11f9726d133062f33cdcce264536a1e9861c70ad6e12b2b573c5d482f2ea:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/gke/gcloud-gke-secrets-encryption-disabled.yaml