Kubernetes Security: Sensitive Secrets Exposed
Cybersecurity researchers are warning of Kubernetes security issues amid the exposure of configuration secrets. It has been deemed that such exposure could put organizations at risk of supply chain attacks.
Researchers believe that such attacks could be orchestrated using Kubernetes secrets exposed in public repositories as they allow access to the Software Development Life Cycle (SDLC). In this blog, we’ll dive into the details of these secrets and mitigation measures that should be adopted to avoid such exposure.
Fortune 500 Cybersecurity Risk
The exposure impacted two top blockchain companies and various other Fortune 500 companies. SAP’s Artifacts management system, with over 95 million artifacts, was affected by the exposure. It’s worth mentioning that these exposed secrets are essential for managing sensitive data within an open-source environment used for container orchestration.
These secrets, however, are stored in the application programming interface (APIs) datastore without being encrypted, making them vulnerable to cyber threats in container orchestration. Securing sensitive data in Kubernetes is essential as it has severe implications for organizations impacted if a vulnerability is exploited.
Recent survey reports have stated that when it comes to enterprise container security, vulnerabilities and misconfigurations are a top concern. Furthermore, the report cited 37% of respondents stating revenue or customer loss due to the exploitation of such vulnerabilities.
Kubernetes Security – Details Of The Exposed Secrets
Researchers at Aqua have stated that they focused on two types of Kubernetes secrets: dockercfg and dockerconfigjson. Container security measures for both these security measures are essential as they store credentials used for accessing external repositories. The team of researchers used GitHub’s API to identify instances where such secrets were uploaded to public repositories.
Commenting on the matter, the team said, “We uncovered hundreds of instances in public repositories, which underscored the severity of the issue, affecting private individuals, open-source projects, and large organizations alike.” Their initial query led to over 8000 results.
However, the query was later refined to only show entries that had user and password values which were encoded in base 64. These refined protocols yielded 438 records that contained login credentials. Out of these records, 203 contained credentials that actually led to access to the respective repositories.
It’s worth mentioning that just 93 of the credentials were set by individuals, while the other 345 appeared to be computer-generated. In addition, they provided access for both pulling and pushing privileges, and most of them had private container images, too. Some of the most notable registries that were exposed include Docker Hub, Azure ECR, and Quay.
Provided below is a breakdown of the registries and credentials that were exposed.
Deeming password protection as one of the many Kubernetes best practices, the research team stated, “This underscores the critical need for organizational password policies that enforce strict password creation rules to prevent the use of such vulnerable passwords.” Some of the weakest passwords that were actively being used include:
It’s worth noting that credentials for GCR and AWS had expiration dates rendering them useless after they had been exposed.
Noteworthy Use Cases
In a bid to improve Kubernetes vulnerability management, the Aqua researchers went on to identify multiple use cases that pose significant risks to the organization. To do this, the team mainly focused on Quay, Red Hat, and Docker Hub registries since they had the highest number of valid credentials.
They discovered valid credentials that provided access to more than 95 million artifacts. Potential threats that could come as a result of such access include proprietary code being leaked, supply chain attacks, and data breaches. It’s paramount to know that any of these threats can negatively impact an organization’s integrity, reputation, and customer relations.
The team also identified secrets to the registries of two top-tier blockchain companies. These secrets enable both push and pull privilege and if exploited, are likely to impact highly popular projects and cryptocurrencies.
Docker Hub Accounts
The docker hub credentials that were discovered granted full access to the accounts. It’s worth mentioning that these accounts were associated with 2,948 container images which amounts to 46 million image pulls. What’s even more alarming is the fact that 26% of the container images were private, meaning that they should not have been accessed by unauthorized users.
Risk Mitigation Strategies For Kubernetes Security
With diverse cyber threats on the rise, adapting rise mitigation strategies for Kubernetes security is now essential for organizations worldwide. Learning from what was uncovered thus far, some of the essential Kubernetes best practices include:
- Using expiration dates on secrets, tokens, and credentials to ensure that they don’t stay usable for a period longer than what they are needed for.
- Encryption the keys and rendering them useless to those without an encryption key.
- Adapting the least privilege philosophy to ensure that even if unauthorized access is acquired, damage is kept to a minimum since excessive privileges are provided.
- Using two-factor authentication (2FA) for human users as it can eliminate unauthorized access.
Exposed Kubernetes secrets have put the organization at risk. Researchers have, to date, identified that out of the 438 exposed credentials, 203 were actually valid. These credentials could be used for push and pull privilege, leaking code, and executing data breaches. Such outcomes serve as a stark reminder that companies should use proactive cybersecurity measures to protect their infrastructure, networks, and data.