Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes etcd vulnerability (Ports 2380) 64-bit block cipher 3DES vulnerable to SWEET32 attack #2451

Closed
RoysyLee opened this issue Feb 4, 2021 · 1 comment
Closed

Kubernetes etcd vulnerability (Ports 2380) 64-bit block cipher 3DES vulnerable to SWEET32 attack #2451

RoysyLee opened this issue Feb 4, 2021 · 1 comment

Comments

@RoysyLee
Copy link

RoysyLee commented Feb 4, 2021
edited
Loading

RKE version: v1.2.4

Rancher v2.5.5
k8s v1.19.4

Docker version

19.3.14

Operating system and kernel:

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
4.15.0-118-generic

Type/provider of hosts:

Virtual machines hosted by an infrastructure provider

cluster.yml file:

Steps to Reproduce:

  1. Making Rancher launch downstream k8s
  2. ssh to etcd node
  3. "nmap --script ssl-enum-ciphers.nse localhost -p 2379"

Results:


Starting Nmap 7.60 ( https://nmap.org ) at 2021-02-04 17:35 KST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): 127.0.1.1 ::1

PORT     STATE SERVICE
2379/tcp open  etcd-client
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

Is there any plans to disable that ciphers?!
If not, how can I disable that cipher in rke?
I set up rke k8s by rancher!
@superseb
Copy link
Contributor

superseb commented Feb 4, 2021
edited
Loading

Related issues rancher/rancher#27059 / etcd-io/etcd#8320 / etcd-io/etcd#10304

You can configure this using extra_args to the etcd service. We'll discuss internally if we want to divert from upstream and make this more strict by default.

@superseb superseb closed this as completed Feb 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@superseb @RoysyLee