Aqua Security’s cloud security research team recently found thousands of registries and artifact repositories exposed online, revealing more than 250 million artifacts and over 65,000 container images.
The registries and repositories belonged to a wide range of companies, including 10 members of the Fortune 500 and two leading cybersecurity providers.
“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” the researchers noted in a blog post.
“We believe that registries are a crucial part of the software supply chain in the cloud and that organizations don’t pay enough attention to them,” they wrote. “If attackers gain access to registries, they can propagate and potentially exploit the entire SDLC.”
Also read: Software Supply Chain Security Guidance for Developers
Sensitive Information Exposed
While they expected to find some registries accessible online, the researchers wrote, they were surprised that “on 1,400 distinct hosts we found at least one sensitive key (such as keys, secrets, credentials, tokens, etc.) and on 156 hosts we found private sensitive addresses of end points (such as Redis, MongoDB, PostgreSQL, MySQL, etc.).”
They also found 57 registries with critical vulnerabilities, such as default admin passwords, and more than 2,100 artifact registries with upload permissions, which could enable attackers to poison the registry with malicious code.
Aqua Security staff software engineer Mor Weinberger told eSecurity Planet by email that containers and artifact registries play a crucial role in software development, but they have to be managed correctly. “Whether you’re a software provider or an open-source maintainer, the goal is to simplify the process of managing releases and making them easily accessible,” he said. “However, this should never come at the expense of security.”
“anonymous users should never be allowed to upload files to your releases”
“Regardless of the situation, anonymous users should never be allowed to upload files to your releases (as we have seen in more than one instance),” Weinberger added. “Moreover, it’s essential to ensure that no sensitive information, such as secrets and PII, makes its way into your accessible artifacts. In general, once your artifacts are accessible to anyone, your software vulnerabilities within are also exposed.”
See the Top Code Debugging and Code Security Tools
Responding to Security Researchers
In one case detailed by the researchers, they found two exposed container image registries belonging to a Fortune 100 tech giant. “One of the container image manifests contained a command to download artifact from the artifact registry, which included an active API key to retrieve internal binaries as part of building an image,” they wrote. “We found that the artifact registry contained 2,600 repositories with over 240 million artifacts.”
They reached out to the company, and its security team quickly responded. “We later learned that this was a case of shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” they wrote.
Aqua Security lead threat intelligence and data analyst Assaf Morag told eSecurity Planet by email that it’s crucial for companies of all sizes to have a defined point of contact for security researchers and a known security disclosure playbook. “To do this, create a dedicated security email and assign someone to process the incoming emails,” he said.
“If you have a severe misconfiguration or a vulnerability and someone is trying to reach out to you to let you know that, don’t make it harder on them, because they will eventually give up and stop,” Morag added. “There will then be a risk to your data, intellectual property, and customer information, as it might end up on the dark web. Someone could have stopped that, but there was no answer at the door when it mattered.”
See the Top Container Security Solutions
Key Steps to Take
The researchers suggest taking the following steps as soon as possible to mitigate these risks:
- Secure repositories with network controls such as a VPN or firewall
- Implement strong authentication and authorization measures
- Regularly rotate keys, credentials, and secrets
- Implementing least privilege access controls and scoping
- Regularly scan for sensitive data
As more and more organizations move to the cloud, Morag said, we’re likely to continue to see an increase in misconfigurations. “These are most often caused by shadow IT, mistakes, a lack of knowledge or experience, and a lack of proper controls,” he said. “We really hope that this research and other similar security research will educate the community about the risks posed by this technology and the need to adopt security practices and tools to mitigate them.”
Read next: 13 Cloud Security Best Practices
