Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Security analysis of container environments has revealed real risks in the supply chain.
Leading cybersecurity experts have expressed concerns about publicly available Kubernetes configuration secrets, which could threaten the security of many organizations supply chains. Some of the companies affected include two leading blockchain companies whose names are not disclosed for security reasons, as well as various other Fortune 500 companies.
Researchers at Aqua Security reported that encrypted Kubernetes configuration secrets were uploaded to public repositories. The data for the study was obtained using the GitHub API, where records containing secrets like "dockerconfigjson" and "dockercfg" were analyzed. These files store credentials for accessing container image registries.
As a result of the analysis, it was revealed that out of 438 records potentially containing valid credentials for registries, 203 records (about 46%) actually contained up-to-date data, providing access to these registries. The researchers emphasized that in most cases, these credentials allowed for both downloading and uploading information.
When evaluating the reliability of the credentials used, experts found that 93 passwords out of 438 were set manually, as opposed to 345 generated by a computer. At the same time, almost 50% of these 93 passwords were weak, including the following: password, test123456, windows12, ChangeMe, dockerhub, and others.
The researchers finding underscores the critical need to tighten security policies in organizations that would require employees to use much stricter rules for creating passwords.
Aqua also noted cases where organizations accidentally left secrets in files sent to public repositories on GitHub, which led to unintentional disclosure of information.
However, all AWS and GCR-related credentials that the researchers found were temporary or expired, making access impossible. Similarly, the GitHub container registry required two-factor authentication (2FA) as an additional layer of protection against unauthorized access. So in these cases, everything turned out to be uncritical.
In addition, some keys were additionally encrypted, which made their use impossible. And sometimes, even if the key was valid, it had minimal privileges, often suitable only for downloading a specific artifact or image.
"Potential data leaks, loss of proprietary code, and supply chain attacks are a stark reminder of the need for strong security measures," the Aqua Security researchers concluded, reminding developers of the importance of using temporary tokens, data encryption, the principle of least privilege, and the use of two — factor authentication. These measures, according to experts, are quite sufficient to secure container registries.
According to Red Hat's April Kubernetes security report, vulnerabilities and misconfigurations are the main security concerns in container environments. 37% of the 600 participants surveyed indicated a loss of revenue or customers as a result of incidents related to the security of containers and Kubernetes.
Leading cybersecurity experts have expressed concerns about publicly available Kubernetes configuration secrets, which could threaten the security of many organizations supply chains. Some of the companies affected include two leading blockchain companies whose names are not disclosed for security reasons, as well as various other Fortune 500 companies.
Researchers at Aqua Security reported that encrypted Kubernetes configuration secrets were uploaded to public repositories. The data for the study was obtained using the GitHub API, where records containing secrets like "dockerconfigjson" and "dockercfg" were analyzed. These files store credentials for accessing container image registries.
As a result of the analysis, it was revealed that out of 438 records potentially containing valid credentials for registries, 203 records (about 46%) actually contained up-to-date data, providing access to these registries. The researchers emphasized that in most cases, these credentials allowed for both downloading and uploading information.
When evaluating the reliability of the credentials used, experts found that 93 passwords out of 438 were set manually, as opposed to 345 generated by a computer. At the same time, almost 50% of these 93 passwords were weak, including the following: password, test123456, windows12, ChangeMe, dockerhub, and others.
The researchers finding underscores the critical need to tighten security policies in organizations that would require employees to use much stricter rules for creating passwords.
Aqua also noted cases where organizations accidentally left secrets in files sent to public repositories on GitHub, which led to unintentional disclosure of information.
However, all AWS and GCR-related credentials that the researchers found were temporary or expired, making access impossible. Similarly, the GitHub container registry required two-factor authentication (2FA) as an additional layer of protection against unauthorized access. So in these cases, everything turned out to be uncritical.
In addition, some keys were additionally encrypted, which made their use impossible. And sometimes, even if the key was valid, it had minimal privileges, often suitable only for downloading a specific artifact or image.
"Potential data leaks, loss of proprietary code, and supply chain attacks are a stark reminder of the need for strong security measures," the Aqua Security researchers concluded, reminding developers of the importance of using temporary tokens, data encryption, the principle of least privilege, and the use of two — factor authentication. These measures, according to experts, are quite sufficient to secure container registries.
According to Red Hat's April Kubernetes security report, vulnerabilities and misconfigurations are the main security concerns in container environments. 37% of the 600 participants surveyed indicated a loss of revenue or customers as a result of incidents related to the security of containers and Kubernetes.
