search

rancher / rke

Rancher Kubernetes Engine (RKE), an extremely simple, lightning fast Kubernetes distribution that runs entirely within containers.
Apache License 2.0
3.22k stars 584 forks source link

Kubernetes etcd vulnerability (Ports 2380) 64-bit block cipher 3DES vulnerable to SWEET32 attack #2451

Closed RoysyLee closed 3 years ago

RoysyLee commented 3 years ago

RKE version: v1.2.4

Rancher v2.5.5 k8s v1.19.4

Docker version

19.3.14

Operating system and kernel:

NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic 4.15.0-118-generic

Type/provider of hosts:

Virtual machines hosted by an infrastructure provider

cluster.yml file:

Steps to Reproduce:

  1. Making Rancher launch downstream k8s
  2. ssh to etcd node
  3. "nmap --script ssl-enum-ciphers.nse localhost -p 2379"

Results:


Starting Nmap 7.60 ( https://nmap.org ) at 2021-02-04 17:35 KST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): 127.0.1.1 ::1

PORT     STATE SERVICE
2379/tcp open  etcd-client
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

Is there any plans to disable that ciphers?! If not, how can I disable that cipher in rke? I set up rke k8s by rancher!

superseb commented 3 years ago

Related issues https://github.com/rancher/rancher/issues/27059/ / https://github.com/etcd-io/etcd/issues/8320 / https://github.com/etcd-io/etcd/issues/10304

You can configure this using extra_args to the etcd service. We'll discuss internally if we want to divert from upstream and make this more strict by default.