漏洞描述
Checks if the etcd-certfile and etcd-keyfile arguments are properly set in the etcd server configuration, crucial for secure communication.
k8s-etcd-files-set: Ensure etcd cert and key set
PoC代码[已公开]
id: k8s-etcd-files-set
info:
name: Ensure etcd cert and key set
author: princechaddha
severity: medium
description: Checks if the etcd-certfile and etcd-keyfile arguments are properly set in the etcd server configuration, crucial for secure communication.
impact: |
If the etcd-certfile and etcd-keyfile arguments are not set, the etcd server might not encrypt its communications, potentially allowing unauthorized access to sensitive data.
remediation: |
Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted.
reference:
- https://etcd.io/docs/v3.4.0/op-guide/security/
tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security
variables:
argument: "etcd-certfile or etcd-keyfile"
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=etcd -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'etcd'
- type: word
words:
- "etcd-certfile"
- "etcd-keyfile"
negative: true
extractors:
- type: dsl
dsl:
- '"etcd server configuration is missing the " + argument + " arguments."'
# digest: 490a004630440220126894673e4731b91a0632913a7df5dbc3fd7db4beccdfa271ea70a8532046f0022078b3ed9498dd7c6cfe40608b955acdff647a7bd87e4e64177d065cf1e232c890:922c64590222798bb761d5b6d8e72950