Some pretty major companies are slacking when it comes to Kubernetes configuration secrets, which could spell security disaster, a new report from cybersecurity researchers Aqua has claimed.
In a new paper, researchers Yakir Kadkoda and Assaf Morag explained that firms are uploading Kubernetes configuration secrets to public repositories, risking hackers picking them up and using them in attacks against their endpoints.
They came to this conclusion after using a GitHub API to find all entries containing .dockerconfigjson and .dockercfg which usually store credentials for container image registry access. The results returned 438 records, out of which half (203) held valid credentials that could be used to access the registries. The list contained 345 computer-generated passwords and 93 manual ones.
Weak credentials
“In the majority of cases, these credentials allowed for both pulling and pushing privileges,” the researchers said. “Moreover, we often discovered private container images within most of these registries.”
Another problem is the strength of the manually created passwords. Almost half were considered weak, including the likes of test123456, ChangeMe, and dockerhub, which hackers can easily guess. “This underscores the critical need for organizational password policies that enforce strict password creation rules to prevent the use of such vulnerable passwords,” the researchers stressed.
Among the companies that risked data breaches this way are two major blockchain firms and “various Fortune 500” organizations.
The researchers also found plenty of Amazon Web Services (AWS) and Google Container Registry (GCR) passwords, all of which were temporary and expired. Also, the GitHub Container Registry had multi-factor authentication (MFA) set up, rendering it useless for the attackers.
“In some cases, the keys were encrypted and thus there was nothing to do with the key,” the researchers said. “In some cases, while the key was valid it had minimal privileges, often just to pull or download a specific artifact or image.”
