Common Oops in DevOps
DevOps missing security manual
Vlatko Kosturjak (@k0st), FSEC, Varaždin, 15th of September
Agenda
- Introduction
- Secure communication
- Development
- Deployment
- Configuration
- Passwords
- Summary
- Questions and answers
45 minutes
About me
- Security Consultant in Diverto
- Open source (security) developer
- Have code in OpenVAS, Nmap, Metasploit, ...
- https://github.com/kost
- Securing DevOps
- Helping clients in DevOps security
- Having fun finding problems
Introduce elephant
- Talk will cover
- Common mistakes
- development
- deployments
- continuos integration
- password and/or secret management
- Talk is NOT
- comprehensive security manual
- applicable to any DevOps case, YMMV
Secure Communication
- Don't use plain e-mail for sensitive information exchange
- Do use
- SMIME
- PGP/GnuPG
- How about team collaboration tools?
- Slack
- Your destiny is tied to their destiny :)
- Slack got hacked
- https://slack.com/security
Security requirements
- Define your security requirements upfront
- Ask yourself
- What do I want to achieve?
- Be mindful - There's no 100% protection
- How contract should look like for security?
- OWASP Secure Software Contract Annex
- https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
- How my security requirements should look like?
- OWASP Application Security Verification Standard (ASVS)
- https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Git awareness
- Commit author and e-mail can be impersonated
- You can change to be anyone
- You still need credentials to push, but merge request is fun :)
- git config --global user.name "HD Moore"
- git config --global user.email hd_moore@rapid7.com
- Hooks
- do not blindly copy hooks from others :)
- .git/hooks/post-checkout
- .git/hooks/post-commit
Github Data Scraping
- Creating realworld wordlists from github hosted data
- References
- All directories found inside of github projects
- All files found inside of github projects
- All usernames found from email addresses
- Passwords found within github projects
- static salts found within github projects
- References
Issue Scraping
- open source trackers hold potential 0-days
- just need to find correct ones
- security issues are reported and public
- Simple Example
- scrape issues and find GDB dump where EIP is 0x41414141
- References
- https://github.com/jfoote/vulture
- Analyzes open source bug trackers for interesting vulnerabilities
Issue Scraping
Issue Recommendations
- Security issues should be private until fixed
- Regular practice
- E-mail with details
- security@my-email-domain.com
- References
Internal or your own repo
- Nasty RCEs
- GitList
- Gitlab
- 5.2, 5.3, 5.4, 6.0, 6.1, 6.2
- https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/
Middleware
- Open application server consoles
- deploy own code
- Easy passwords on application server consoles
- tomcat/tomcat? :)
- deploy own code
- It works for almost all consoles
- JBoss, Tomcat, Weblogic, Websphere, ...
- References
Be careful how you deploy
- Data files
- Insecure object references
- Backup files
- bak
- filename~
- DVCS files
- .git
- .svn
Source code ripping - easy
- Easy if directory browsing enabled
mkdir git-test
cd git-test
wget --mirror --include-directories=/.git http://www.target.com/.git
cd www.target.com
git reset --hardState of Source code ripping
- When directory browsing is disabled
| DVCS | Info | Source |
|---|---|---|
| CVS | yes | no |
| SVN | yes | mostly |
| Git | yes | mostly |
| Mercurial (hg) | yes | yes |
| Bazaar (bzr) | yes | yes |
Source Ripping tools
- DVCS-Pillage
- https://github.com/evilpacket/DVCS-Pillage
- by Adam Baldwin
- supports almost all DVCSs
- DVCS ripper
- https://github.com/kost/dvcs-ripper
- by me :)
- supports almost all DVCSs
- fast and most feature packed :)
- able to cache HTTP requests in redis
- packed refs support
Source Code recommendations
- Prevent Serving from web server
<DirectoryMatch .svn>
Order allow,deny
Deny from all
</DirectoryMatch>- find /web -name .svn
- find /web -name .git
- Config.php vs config.php-dist
Vagrant
- wrapper around VirtualBox, VMware and KVM
- provision virtual machines quickly
- mostly used by developers
- complete development environment
- deterministic results
- References
Vagrant common problems
- default credentials
- root/vagrant
- vagrant/vagrant
- default SSH keys
- private SSH key
Vagrant recommendations
- Change default credentials
- root/vagrant
- vagrant/vagrant
- Change default SSH keys
- private SSH key
Docker
- Stay tuned for next lecture
Jenkins
- No authentication
- easy to get remote code execution
- exploit/multi/http/jenkins_script_console
- Local authentication
- register as new user
- get access to script console
- /view/All/newJob => new build => run
Jenkins
- Implement authentication
- Rework ACLs
Few other things
- Elasticsearch
- RCE on below 1.2.0
- Redis
- no authentication
- no encryption
- Cassandra
- my lecture on FSEC 2012
- https://nmap.org/nsedoc/lib/cassandra.html
Secret management solutions
- Keywhiz
- Alpha development quality
- using mTLS with a client certificate
- https://square.github.io/keywhiz/
- Vault
- More complete tool to manage secrets
- https://www.vaultproject.io/
- https://hashicorp.com/blog/vault.html
- Downsides
- If it gets owned, everything is compromised!
Summary
- History repeats itself
- Common fails are not rocket science
- Nothing spectacular
- Basic security things
- Automatization
- You can automate parts of DevOps Security
- Still some manual parts