Docker Registries Expose Hundreds of Orgs to Malware, Data Theft

docker container

Misconfigured Docker registries could leak confidential data, lead to a full-scale compromise and interrupt the business operations.”

A slew of misconfigured Docker container registries has inadvertently exposed source code for 15,887 unique versions of applications owned by research institutes, retailers, news media organizations and technology companies.

According to Palo Alto Networks’ Unit 42 division, the registries lacked proper network access control.

“Although setting up a Docker registry server is straightforward, securing the communication and enforcing the access control requires extra configurations,” the company said in a posting on Friday, explaining that researchers found the exposed registries via Shodan and Censys searches. “System administrators may unintentionally expose a registry service to the internet without enforcing proper access control.”

As the security firm explained, Docker registries are essentially cloud servers, which are used to store and organize Docker images. Docker images are containers that have everything needed to run an application, including code, dependent libraries and operating system files. These image containers are organized into repositories, which can have multiple versions of the application, including backups.

The consequences for companies whose registries are attacked by cybercriminals can be profound, according to Unit 42.

“These registries contain the application source code and historical versions,” researchers said. “When leaked, proprietary intellectual property can be stolen, malicious code can be injected and operation critical data can be hijacked…misconfigured Docker registry could leak confidential data, lead to a full-scale compromise and interrupt the business operations.”

In all, the research identified 941 Docker registries exposed to the internet and 117 registries accessible without authentication.

Docker registries allow the enablement management of images – users can “pull” (access or download) images; “push” them (upload); or delete them. Out of the 117 unsecured registries uncovered by Palo Alto, 80 of them allowed the pull operation, 92 registries allowed the push operation and seven registries allowed the delete operation.

This opens up a range of cybercriminal activities. “If the push operation is allowed, benign application images may be replaced with images with backdoors,” according to the analysis. “These registries may also be used for hosting malware.”

This latter scenario played out last October, when a cryptojacking worm dubbed Graboid infected more than 2,000 unsecured Docker Engine (Community Edition) hosts. The worm looked to mine the Monero cryptocurrency.

Meanwhile, researchers said that “if the delete operation is allowed, hackers could encrypt or delete the images and ask for ransom. As each registry is typically accessed by multiple clients, all the clients who pull and run images from the compromised registries immediately become vulnerable.”

The unsecured repositories in total accounted for 2,956 vulnerable repositories and 15,887 vulnerable “tags,” the firm noted. Docker tags are aliases for Docker images. Some of the exposed registries had more than 50 repositories and 100 tags exposed.

“With all the source code and historical tags, malicious actors can design tailored exploits to compromise the systems,” the firm noted. “Without looking into the image content, we could attribute about 25 percent of the unsecured registries by reverse DNS lookup or cnames in the TLS certificates.”

Threatpost has reached out to Unit 42 to determine whether the exposed registries are now closed. The firm said that remediation is “straightforward,” requiring the addition of a firewall rule that says registries can’t be accessed from the internet, and enforcing authentication for API requests.

Cloud misconfigurations and attacks continue to make headlines, but enterprise views on cloud security have yet to catch up. Research from the Ponemon Institute released in October shows that although nearly half (48 percent) of corporate data is stored in the cloud, only a third (32 percent) of organizations admit they employ a security-first approach to that data storage.

Docker itself is no stranger to security snafus. Last May, it was discovered that for three years, some Alpine Linux Docker images had shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images. And in April, Docker Hub confirmed that it was hacked; with sensitive data from approximately 190,000 accounts potentially exposed.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.


Suggested articles