Redhunt Labs - A Look inside the Attack Surface Management companies

1. Home About Us Products Resources Career Blog Contact Us Email Us Attack Surface Management – Risks of an Exposed Docker Image Home / Blog / Attack Surface Management / Attack Surface Management – Risks of an Exposed Docker Image  Umair Nehri  22 November, 2022 What are you loo Search Attack Surface Management – Risks of an Exposed Docker Image ALL CATEGORIES By default, every image pushed to the Docker Hub through your free account appears in the public registry by default. This business strategy of Docker Inc. to engage more people into purchasing their paid subscriptions puts the free users at risk. Once an attacker finds exposed docker images related to your organisation, there is plenty of information which can be used by the attacker to cause damage to the organisation’s security posture.  Attack Surface Management Business CISOGuides News & Announcements Pentesting Press-Release Project Resonance Security Best Practices Security Risks Technology Tips Tool-Release LATEST POST 6 Reasons You Need to Manage Your External Attack Surface Attack Surface Management – Risks of an Exposed Docker Image Almost ten years ago, the software would have to be typically deployed on “bare metal” or “virtual machines”. This made the entire process of installing, configuring, and relocating software burdensome. This also hampered the IT industry’s ability to respond swiftly to business changes. There was a requirement for something that would expedite the entire process of packing and deploying applications, environments, etc. Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10) Then came into the picture, DotCloud, what today we know as “Docker“, used to be a platform-as-a- service(PaaS). Earlier, from what started as a solution to solve customer issues of DotCloud Inc. to today being widely adopted amongst the IT industry, Docker has come a long way. Container utilisation is increasing as cloud-native development methodologies become the standard model for developing and executing applications. Attack Surface Management – Risks of an Exposed Service / Port  OpenSSL v3: Two High- Priority Patches and A Week of Horror Here’s a video of Docker being demoed for the first time in Pycon 2013 [ What is Docker? Youtube ] Docker is an open-source platform for automating the deployment of applications as portable, self- sufficient containers that can run on the cloud or on-premises.  BLOG ARCHIVES – the container image registry from Docker Inc. is a common repository (both public & private) where a person can find all the docker images published by various organisations or people around the world. Docker Hub allows free public repositories for images.   Docker Hub March 2023 November 2022 October 2022 September 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 June 2021 May 2021 March 2021 February 2021 December 2020 November 2020 July 2020 June 2020 April 2020 May 2019 Docker and its components Image Source: https://docs.docker.com/get-started/overview/ 1) Docker Hub: Docker Hub is a repository where container images can be stored, shared, and managed.  2) Docker Run: The docker run command creates a container from a given image and starts the container using a given command. BLOG TAGS 3) Docker Image: It is a template that contains the application and all the dependencies required to run that application on Docker. android apps attack surface attack surface management continuous security 4) Docker File: It is a text file that contains all the sets of commands required to run a particular image.  Docker is widely used in the IT industry because of its multiple benefits. Along with its benefits, it carries certain risks if security measures are not followed. Because of its widespread implementation, the organisations associated with these risks are also more. This proves to be beneficial for a person with malicious intent. cve-2022-22965 cybersecurity Data breach dataleaks cyber data-leak Dependency Confusion Attack dns misconfigurations docker By default, every image pushed to the registry by default. This business strategy of Docker Inc. to engage more people into purchasing their paid subscriptions puts the free users at risk. Once an attacker finds exposed docker images related to your organisation, there is plenty of information which can be used by the attacker to cause damage to the organisation’s security posture.  Docker Hub through your free account appears in the public domain takeover easm entrepreneur exploit exposed risks exposed service featured internet-security firebase httploot internetsecurity kubernetes kubestalk linux management open port 1) HardCoded Secrets: openssl osint opensource The hard-coded secrets can be in the form of credentials, access tokens, SSH keys, TLS certificates, or any form of data that cannot be stored in the docker in unencrypted form. These sensitive secrets might be present in the Environment variable(ENV), build arguments(ARG), run commands or even hardcoded in the source code of the images.  patch-management pentesting pii project-resonance Project Resonance secret security scanner spf records spring4shell threat-research vulnerability surface Build arguments: A mistake where a person can unintentionally pass sensitive data to the docker image is through build arguments. If the docker image is a single-stage image, and secrets were passed as build arguments(– build-args), the attacker can retrieve them. Using the “docker history” command, we can retrieve the sensitive values.  docker history –no-trunc <image> Environment variables: Not being just concise to secrets, but other valuable metadata information can be grabbed using the environment variables. These variables can reveal various information such as internal endpoints, runtime environment type(staging/prod), which subdomain/domain this app will serve etc. To view the environment variables of a docker image: docker run <image_to_inspect> printenv Source code: The worst thing is to hard-code secrets like API tokens, access keys, credentials, and connection strings in your application’s source code. When you move the application to the docker, these hard-coded secrets also get transferred in the image and can be viewed by the attacker.  2) Sensitive configuration files copied to the docker image Another method by which sensitive data gets included in the docker image is by copying the config, which includes all the secrets. A particular docker image contains multiple layers of images. Suppose a sensitive configuration file was added in the first layer but later deleted; this doesn’t mean that the contents of the config file aren’t present anymore.  In order to speed up builds, Docker implements caching. If your Dockerfile and related files haven’t changed, a rebuild can reuse some of the existing layers in your local image cache. This means that once the attackers have access to the image, they can retrieve the sensitive secrets. 3) Exposed Git logs/hidden directories/other Dot files When wildly copying files to the docker image, we can accidentally include the hidden “.git” directory. Once an attacker gets access to the image, they can find emails of all committers, the source of the repository, code changes, and hardcoded secrets. This kind of information not just includes .git files but also includes other important dotfiles like .ssh, .configs, etc. 4) Paid software licenses At times, organisations accidentally publish docker images with activated software. Yes, this is a sensitive issue, but it can also land the organisation in hot water. As distributing licensed software might also lead to legal charges against the organisation.  5) Risks of a Targetted Cyber Attack  Since the docker image is publicly available, the attacker can further pull the image and analyse all the stacked images and technologies as well as their configurations to determine whether it contains any known vulnerabilities. After analysing the docker image, the attacker may find a misconfiguration or a vulnerability present in the image or in a software component being used in the image. There may also be, information regarding where the particular image is deployed on the internet.  This puts the organisation at risk of a cyber attack since the attacker knows what vulnerability exists and where the docker is deployed.  How to stop exposures in docker images: Below are certain recommendations to prevent your organisation from the risks associated with the exposed docker image.  – Continuously monitor your exposed docker images: A well-informed team should continuously monitor and observe the exposed docker images related to their organisation. This list of exposed images should be added to the organization’s asset inventory. – Do not hardcode secrets: Tokens, API keys, passwords, database connection strings, and SSH keys should not be hard coded in docker images. – Make use of private container registries: To share docker images, make use of private container registries like Azure Container Registry, Amazon Elastic Container Registry, and Github Docker registry.  – Implement the usage of “.dockerignore”: All the sensitive directories that we don’t want to include while building a docker can be added to this “.dockerignore” file. – Conduct training sessions: Provide training to developers about what are the security best practices for docker.  – Use secrets management tool: Docker secrets are a secure-by-default way to deliver sensitive values across a cluster of Docker hosts. – Regular updates and patches: Newer updates and bug fixes are often included in update packages.  – Using a paid subscription: Using a paid subscription allows you to push your Docker images to a private repository. Using a private repository straightway cuts off most of the risks. Our Internet-wide study We at RedHunt Labs are a very research-oriented organization, where we conduct various internet-wide scans under the name of Project Resonance to study the security posture of the internet.  A few months ago, we conducted an internet-wide study where we scanned millions of publicly exposed Docker containers to assimilate the exposure of secrets. And here’s what we found after scanning 1,684,600 unique Docker Hub accounts. We observed that 46,076 docker images either hardcoding credentials or copying sensitive config files to docker images.  We at RedHunt Labs help organisations continuously discover their Attack Surface across subdomains, containers, git repos, etc., and help identify security risks on External Attack Surface before attackers do.  Our Agentless Attack Surface Management Platform exposed Docker Assets from across the internet and has been able to identify critical data leaks across publicly exposed docker containers for many of our customers. has capabilities to continuously monitor your NVADR If you would like to check out your organisation’s Attack Surface, we also offer a Free Scan. Scan here. Request Free Let’s Reduce Your Org’s Attack Surface. Request Free Trial  Attack Surface Management  Security Risks  Technology Previous: Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10) Next: 6 Reasons You Need to Manage Your External Attack Surface RESEARCH COMPANY DOWNLOADS REGISTERED OFFICE  102 First Floor, 60, Grays Inn Road, London, United Kingdom, WC1X 8AQ Blog About Us Privacy Policy DROP AN EMAIL  Code Leak Search Engine Media Kit Terms & Conditions info@redhuntlabs.com Project Resonance Events Calender Compliance Policy CALL US  +(91) 9971 658929 Talks And Presentations Community Support Sample Report BOOK MEETING  /calendly We value your privacy We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Request Free Trial Schedule Meeting Customize Reject All Accept All Copyright © 2023 Redhunt Labs . ALL RIGHTS RESERVED. Developed By : Dreamsdesign.in