Early Container Deployments at Risk, Survey Finds
The enterprise embrace of application containers brings with it agility, scaling, rapid response to continuous change and new requirements for securing production workloads in public clouds.
As with most infrastructure advances, the scaling of application containers in production is exposing previously unforeseen consequences, especially security risks. Among them, according to research by cloud security specialist Lacework, are an explosion of container orchestration and API management tools that could unwittingly serve as “attack points.”
Lacework said it found more than 21,000 container and API tools with potential vulnerabilities related to poorly configured resources, non-secure protocols and lack of user credentials. The growing number of container and API tools ranging from de facto standard systems like Kubernetes and Docker Swarm to an expanding ecosystem of container management systems underscores the need for “proper security guardrails” beyond initial container isolation steps, Lacework said.
The security vendor said it discovered 21,169 Internet-connected container orchestration platforms during the week of June 1. Most of the clusters were hosted on Amazon Web Services (NASDAQ: AMZN), followed by Google Cloud Platform (NASDAQ: GOOGL) and OVH, the French cloud computing vendor.
The security scan turned up more than 300 container management clusters in the open with no authentication, “virtually [giving an] complete access,” the company said, via administrative dashboards that could be accessed without credentials. Among the other vulnerabilities was the ability to perform remote code execution via APIs or a user interface.
The Kubernetes cluster orchestrator accounted for 78 percent of open Internet protocols, followed by Docker Swarm and the Apache Mesos cluster manager.
Previous exploits have focused unprotected computing resources that were used by hackers for deploying code to perform crypto-mining on hijacked infrastructure. The Lacework study asserts that hackers exploiting container security gaps could gain access to servers, privileged accounts and administrative passwords to all servers, representing a “greater risk [if] an outsider gains the highest level of privileges to [a] cluster.”
“We noticed an alarming number of systems with no authentication whatsoever,” Lacework reported. “Some were clearly in the midst of being setup, but some were in full production.
“In cases where full access was available, one can perform operations like add and deploy their own applications, delete infrastructure, change credentials, and potentially exfiltrate data,” the security vendor added.
Researchers focused on Kubernetes given its growing popularity as an orchestration and container management platform. While it found several default authentication and secure socket layers (SSL), Lacework said it uncovered open Kubernetes dashboards in various phases of deployment along with dashboards with no authentication. Vulnerable Kubernetes dashboards also posed risks such as exposing sensitive company information.
Leaving these the management interfaces exposed “poses a huge potential for risk to their data and cloud infrastructure,” the report warns.
As containers enter the mainstream, Lacework said its research highlights the need for administrators to determine an acceptable level of external visibility along with stricter access policies. It recommends tighter controls on network access, especially to dashboards and APIs, along with SSL for all servers and valid user certificates for access to container infrastructure.