Docker users careless with secrets
German researchers have discovered that more than one in 12 Docker Hub images leak secrets like credentials or API secrets.
Four researchers from RWTH Aachen University scanned the global IPv4 address space, finding more than 340,000 images on Docker Hub and other private registries, and that 8.5 percent of those images – 28,621 images – contained secrets.
These included more than 52,000 private keys, and more than 3000 API secrets.
Some of those secrets are being used “in the wild”, the researchers said in a paper published at arXiv.
Looking at services they discovered in the IPv4 address space scan, they found 1060 certificates that relied on “compromised keys being issued by public certificate authorities”, but worse: “We find 275,269 TLS and SSH hosts using leaked private keys for authentication.”
Just 740 compromised private keys the researchers found affected “the authenticity of 275,269 Internet-reachable hosts providing … HTTP, AMQP [advanced message queueing protocol], MQTT [a lightweight IoT messaging protocol], and LDAP [lightweight directory access protocol] services”.
The leaked secrets have, naturally enough, serious implications.
In the paper, the researchers point out that “a shared certificate private key could lead to an impersonation attack.”
“In the case of shared API secrets, all deployed containers might use the same API token leading to exhausted rate limits in the best case, but maybe also to overwritten or insufficiently secured private data,” they wrote.
“As a single API token does not allow fine-granular exclusions, ie, it is either valid or revoked for all users, a revocation would also interfere with benign users.”
The researchers also examined what protocols leaked secrets were associated with, because some protocols are more likely to be used for sensitive information.
The protocol list turned out to be extensive, covering FTP, PostgreSQL, MySQL, SIP, SMTP, POP3, IMAP, SSH, and HTTPS.
The researchers emphasised that image creators need to be warned against uploading secrets to public Docker registries, and when deploying containers based on downloaded images, users should be warned that secrets like private keys might already be compromised.
They also suggest that “credential-finding tools such as TruffleHog or SecretScanner … be integrated on both sides of the Docker paradigm.”
The researchers behind the paper are Markus Dahlmanns, Constantin Sander, Robin Decker, and Klaus Wehrle.