feat(veinmind-minio): CVE-2023-28432 (#213)

* feat(veinmind-minio): CVE-2023-28432

* feat(veinmind-minio): add doc pic

Author: DVKunion

.github/workflows/veinmind-build.yml

@@ -19,6 +19,7 @@ jobs:
           veinmind-vuln,
           veinmind-weakpass,
           veinmind-webshell,
+          veinmind-minio,
         ]
         path: [ ./plugins/go/ ]
         include:

.github/workflows/veinmind-package.yml

@@ -84,6 +84,10 @@ jobs:
         with:
           name: veinmind-basic-amd64
           path: ./
+      - uses: actions/download-artifact@v3
+        with:
+          name: veinmind-minio-amd64
+          path: ./
       - uses: actions/download-artifact@v3
         with:
           name: veinmind-runner-amd64
@@ -99,11 +103,12 @@ jobs:
           mv veinmind-iac_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-iac 
           mv veinmind-basic_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-basic
           mv veinmind-escalate_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-escalate  
+          mv veinmind-minio_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-minio  
           mv ./plugins/python/veinmind-history ./veinmind-history
           mv ./plugins/python/veinmind-backdoor ./veinmind-backdoor
           rm -rf ./veinmind-runner && mv veinmind-runner_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-runner
           chmod +x veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell veinmind-unsafe-mount veinmind-log4j2 veinmind-weakpass veinmind-iac veinmind-sensitive  veinmind-basic veinmind-escalate 
-          tar cvzf veinmind-runner.tar.gz veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell \
+          tar cvzf veinmind-runner.tar.gz veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell veinmind-minio \
           veinmind-unsafe-mount veinmind-log4j2 veinmind-weakpass veinmind-iac veinmind-sensitive  veinmind-basic veinmind-escalate \
           ./veinmind-history \
           ./veinmind-backdoor \

.github/workflows/veinmind-push.yml

@@ -60,6 +60,7 @@ jobs:
           veinmind-vuln,
           veinmind-weakpass,
           veinmind-webshell,
+          veinmind-minio,
         ]
         path: [ ./plugins/go/ ]
     name: ${{ matrix.plugin }}

docs/veinmind-minio/minio_scan_1.png

@@ -0,0 +1,15 @@
+FROM veinmind/go1.18:1.5.3-stretch as builder
+WORKDIR /build
+COPY .. .
+RUN make build
+
+FROM alpine:3.9 as compresser
+WORKDIR /build
+COPY --from=builder /build/veinmind-minio .
+RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && apk add upx && upx -9 veinmind-minio
+
+FROM veinmind/base:1.5.3-slim as release
+WORKDIR /tool
+COPY --from=compresser /build/veinmind-minio .
+RUN echo "#!/bin/bash\n\n./veinmind-minio \$*" > /tool/entrypoint.sh && chmod +x /tool/entrypoint.sh && chmod +x /tool/veinmind-minio
+ENTRYPOINT ["/tool/entrypoint.sh"]

docs/veinmind-minio/minio_scan_2.png

@@ -0,0 +1,44 @@
+.DEFAULT_GOAL := help
+
+# plugin params
+SHELL = /bin/bash
+APP = veinmind-minio
+CMD = cmd/cli.go
+ARG = ""
+
+# build params
+IMAGE_TAG = latest
+CI_GOOS = linux
+CI_GOARCH=$(shell uname -m)
+
+##@ Init
+.PHONY: deps
+deps: 	## Install Dependencies.
+	go env -w GOPROXY=https://goproxy.cn,direct && go mod tidy
+
+##@ Build
+.PHONY: build
+build: deps  ## Build Apps.
+	go build -ldflags '-s -w' -v -trimpath -a -o ${APP} ${CMD}
+
+.PHONY: build.platform
+build.platform: deps  ## Build Apps With Platform.
+	export CGO_ENABLED=1 GOOS="${CI_GOOS}" GOARCH="${CI_GOARCH}"; \
+	go build -ldflags '-s -w' -v -trimpath -a -o ${APP}_${CI_GOOS}_${CI_GOARCH} ${CMD}
+
+.PHONY: build.docker
+build.docker: ## Build Apps Docker Images.
+	docker build -t ${APP}:${IMAGE_TAG} .
+
+##@ Run
+.PHONY: run
+run: deps ## Run Apps. 			e.g. : `make run ARG="scan iac xxxx"` .
+	go run ${CMD} ${ARG}
+
+.PHONY: run.docker
+run.docker:	## Run With Parallel Container Mode. e.g. : `make run.docker ARG="scan iac xxxx"` .
+	docker run --rm -it --mount 'type=bind,source=/,target=/host,readonly,bind-propagation=rslave' -v `pwd`:/tool/data registry.veinmind.tech/veinmind/${APP} ${ARG}
+
+.PHONY: help
+help:
+	@awk 'BEGIN {FS = ":.*##"; printf "Usage: make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-\\.]+:.*?##/ { printf "  \033[36m%-10s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

docs/veinmind-minio/minio_scan_3.png

@@ -0,0 +1,92 @@
+# veinmind-minio  
+
+<p align="center">
+veinmind-minio  主要用于扫描 CVE-2023-28432 漏洞专项检查。
+</p>
+
+## 功能特性
+
+- 快速扫描容器/镜像中的minio CVE-2023-28432风险
+- 支持`JSON`/`CLI`/`HTML`等多种报告格式输出
+
+## 兼容性
+
+- linux/amd64
+- linux/386
+- linux/arm64
+- linux/arm
+
+## 使用方式
+
+### 基于可执行文件
+
+请先安装`libveinmind`，安装方法可以参考[官方文档](https://github.com/chaitin/libveinmind)
+#### Makefile 一键命令
+
+```
+make run ARG="scan xxx"
+```
+#### 自行编译可执行文件进行扫描
+
+编译可执行文件
+```
+make build
+```
+运行可执行文件进行扫描
+```
+chmod +x veinmind-minio && ./veinmind-minio scan xxx 
+```
+### 基于平行容器模式
+确保机器上安装了`docker`以及`docker-compose`
+#### Makefile 一键命令
+```
+make run.docker ARG="scan xxxx"
+```
+#### 自行构建镜像进行扫描
+构建`veinmind-minio`镜像
+```
+make build.docker
+```
+运行容器进行扫描
+```
+docker run --rm -it --mount 'type=bind,source=/,target=/host,readonly,bind-propagation=rslave' veinmind-minio scan xxx
+```
+
+## 使用参数
+
+1.指定镜像名称或镜像ID并扫描 (需要本地存在对应的镜像)
+
+```
+./veinmind-minio scan image [imageID/imageName]
+```
+![](../../../docs/veinmind-minio/minio_scan_1.png)
+2.扫描所有本地镜像
+
+```
+./veinmind-minio scan image
+```
+
+3.指定容器名称或容器ID并扫描
+
+```
+./veinmind-minio scan container [containerID/containerName]
+```
+![](../../../docs/veinmind-minio/minio_scan_2.png)
+4.扫描所有本地容器
+
+```
+./veinmind-minio scan container
+```
+
+5.指定输出格式
+支持的输出格式：
+- html
+- json
+- cli（默认）
+```
+./veinmind-minio scan container [containerID/containerName] -f html
+```
+生成的result.html效果如图：
+
+![](../../../docs/veinmind-minio/minio_scan_3.png)
+

plugins/go/veinmind-minio/Dockerfile

@@ -0,0 +1,159 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	api "github.com/chaitin/libveinmind/go"
+	"github.com/chaitin/libveinmind/go/cmd"
+	"github.com/chaitin/libveinmind/go/plugin"
+	"github.com/chaitin/veinmind-common-go/service/report"
+	"github.com/chaitin/veinmind-common-go/service/report/event"
+	"github.com/chaitin/veinmind-tools/plugins/go/veinmind-minio/pkg/scanner"
+)
+
+var reportService = &report.Service{}
+var rootCmd = &cmd.Command{}
+
+var scanCmd = &cmd.Command{
+	Use: "scan",
+}
+
+var scanImageCmd = &cmd.Command{
+	Use:   "image",
+	Short: "scan image command",
+}
+
+var scanContainerCmd = &cmd.Command{
+	Use:   "container",
+	Short: "scan container command",
+}
+
+var ReferencesURLList = []string{
+	"https://mp.weixin.qq.com/s/JgskenAZ6Cpecoe2k2AEjQ",
+	"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
+	"https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q",
+}
+
+// scanImage is func that used to do some action with Images
+// you can write your plugin scan code here
+func scanImage(c *cmd.Command, image api.Image) error {
+	// do something here
+	res, err := scanner.ScanImage(image)
+	if err != nil {
+		return err
+	}
+
+	if res.Version != "" {
+		// if you want display at runner report, you should send your result to report event
+		reportEvent := &event.Event{
+			BasicInfo: &event.BasicInfo{
+				ID:         image.ID(),
+				Object:     event.NewObject(image),
+				Time:       time.Now(),
+				Level:      event.Critical,
+				DetectType: event.Image,
+				EventType:  event.Risk,
+				AlertType:  event.Vulnerability,
+			},
+			DetailInfo: &event.DetailInfo{
+				AlertDetail: &event.VulnDetail{
+					ID:         "CVE-2023-28432",
+					Published:  time.Date(2023, 03, 23, 0, 0, 0, 0, time.Local),
+					Summary:    "Information Disclosure in Cluster Deployment",
+					Details:    "In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade ASAP.",
+					References: initReferences(),
+					Source: event.Source{
+						Type:     "go-binary",
+						FilePath: res.File,
+						Packages: event.AssetPackageDetail{
+							Name:    res.File,
+							Version: res.Version,
+						},
+					},
+				},
+			},
+		}
+		err := reportService.Client.Report(reportEvent)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// scanContainer is func that used to do some action with container
+// you can write your plugin scan code here
+func scanContainer(c *cmd.Command, container api.Container) error {
+	// do something here
+	res, err := scanner.ScanContainer(container)
+	if err != nil {
+		return err
+	}
+
+	if res.Version != "" {
+		reportEvent := &event.Event{
+			BasicInfo: &event.BasicInfo{
+				ID:         container.ID(), // container id info
+				Object:     event.NewObject(container),
+				Time:       time.Now(),      // report time, usually use time.Now
+				Level:      event.Critical,  // report event level
+				DetectType: event.Container, // report scan object type
+				EventType:  event.Risk,
+				AlertType:  event.Vulnerability,
+			},
+			DetailInfo: &event.DetailInfo{
+				AlertDetail: &event.VulnDetail{
+					ID:         "CVE-2023-28432",
+					Published:  time.Date(2023, 03, 23, 0, 0, 0, 0, time.Local),
+					Summary:    "Information Disclosure in Cluster Deployment",
+					Details:    "In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade ASAP.",
+					References: initReferences(),
+					Source: event.Source{
+						Type:     "go-binary",
+						FilePath: res.File,
+						Packages: event.AssetPackageDetail{
+							Name:    res.File,
+							Version: res.Version,
+						},
+					},
+				},
+			},
+		}
+		err := reportService.Client.Report(reportEvent)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func initReferences() (res []event.References) {
+	for _, value := range ReferencesURLList {
+		tmpRef := event.References{
+			Type: "URL",
+			URL:  value,
+		}
+		res = append(res, tmpRef)
+	}
+	return res
+}
+
+func init() {
+	rootCmd.AddCommand(scanCmd)
+	scanCmd.AddCommand(report.MapReportCmd(cmd.MapImageCommand(scanImageCmd, scanImage), reportService))
+	scanCmd.AddCommand(report.MapReportCmd(cmd.MapContainerCommand(scanContainerCmd, scanContainer), reportService))
+	rootCmd.AddCommand(cmd.NewInfoCommand(plugin.Manifest{
+		Name:        "veinmind-minio",
+		Author:      "veinmind-team",
+		Description: "veinmind-minio scan CVE-2023-28432 risk in images/containers",
+	}))
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}