A pioneer in cloud-native security has discovered thousands of exposed registries and artifact repositories containing over 250 million artifacts and over 65.000 container images.
Many of these artifacts and images contained highly confidential and sensitive proprietary code and "secrets". Aqua's team of IT security researchers, Team Nautilus, uncovered misconfigurations that put thousands of companies of all sizes at risk worldwide - including five from the Fortune 500 and two major IT security vendors. At IBM, for example, an internal container registry was exposed to the Internet: After Nautilus researchers informed the local security team, Internet access to these environments was closed and the risks minimized. Aqua has informed the security teams of potentially affected companies, including Alibaba and Cisco.
software supply chain
Registries and artifact management systems are critical elements in the software supply chain, making them a prime target for cybercriminals. Many companies open their container and artifact registries to the outside world on purpose. However, they are sometimes unaware of the dangers or unable to control sensitive information and so-called secrets. If attackers manage to gain access to it, they can exploit the entire software development lifecycle toolchain and the artifacts stored within.
Specifically, Aqua discovered over 250 million artifacts and over 65.000 container images exposed—over thousands of misconfigured container images, container image registries ("Red Hat Quay"), and artifact registries ("JFrog Artifactory" and "Sonatype nexus").
The investigation also found that in some cases, companies failed to properly secure the highly critical environments. In other cases, sensitive information has entered open source areas, leaving these environments exposed to the Internet and vulnerable to attack. This can lead to serious attacks.
investigation results
- The security researchers found sensitive keys (including secrets, credentials or tokens) on 1.400 different hosts – as well as sensitive private addresses of endpoints (like Redis, MongoDB, PostgreSQL or MySQL) on 156 hosts.
- They discovered 57 registries with critical misconfigurations, 15 of which allowed administrator access with the default password.
- They found as well 2.100+ artifact registries with upload permissions that could allow an attacker to poison the registries with malicious code. In some cases, anonymous user access gave potential attackers access to sensitive information (like secrets, keys, and passwords) that could be used to launch a serious attack on the software supply chain or poison the software development lifecycle.
Recommendations for security teams
Security teams at affected organizations should immediately take the following actions:
- You should always checkwhether registries or artifact management systems are connected to the Internet.
- If the registry intentionally connected to the Internet, it is important to check whether the version does not have any critical security vulnerabilities and whether the default password is being used.
- the passwords must be strong enough and changed regularly.
- Access for anonymous users should be disabled. If this access is intentionally enabled, they should be given minimal privileges.
- Public artifacts in a repository should be scanned regularly to ensure they do not contain any secrets or sensitive information.
- And finally they should change any secrets that may have been disclosed.
Vulnerability Disclosure
Few companies, the Nautilus study found, have a responsible vulnerability disclosure program in place. These programs are important tools: they allow IT security teams to report potential vulnerabilities in a structured way so their organization can quickly fix the problem before it is compromised.
Nautilus also found that companies with existing vulnerability disclosure programs were able to fix misconfigurations in less than a week. For companies without such a program, the process was more difficult and time-consuming.
Assaf Morag, Senior Threat Researcher at Aqua Nautilus, explains: “We started our research with the aim of better understanding registry misconfigurations, finding out more about the companies behind these misconfigurations – and seeing how a skilled attacker could exploit unprotected and would exploit misconfigured registries. The results were both surprising and highly worrying. In view of the extent of the risks we uncovered, we have informed the security teams of the affected companies according to the usual procedure.
More at Aquasec.com
About Aqua Security Aqua Security is the largest pure cloud native security provider. Aqua gives its customers the freedom to innovate and accelerate their digital transformation. The Aqua platform provides prevention, detection, and response automation across the application lifecycle to secure the supply chain, cloud infrastructure, and ongoing workloads—regardless of where they are deployed.
Matching articles on the topic