Open source container platform Docker notified customers that an “unauthorized access to a single [Docker] Hub database,” exposed sensitive data for approximately 190,000 accounts, including usernames, hashed passwords, and tokens from GitHub and Bitbucket used for auto-building Docker images.
While the number sounds significant, 190,000 accounts make up less than five percent of Hub users, Docker said. However, the fact that the exposed data included tokens, which can be used to potentially access code repositories on GitHub and Bitbucket widens the potential impact significantly.
Docker Hub is the repository for public and private containers, self-contained software packages that include all the necessary code, runtime settings, system libraries, and system tools so that the application runs independently of the underlying operating system. Docker Hub is the largest repository of official and community images, and is where many developers go when looking for an official image of an application or system. The exposed username and password means it may be possible for someone to gain unauthorized access to the Docker Hub account and potentially tamper with the official images hosted on the account.
Not Just Docker Hub
Docker's autobuild feature lets developers host the code in repositories on GitHub and BitBucket, and automatically pull the code into the contatiner image that is posted on Docker Hub. The fact that GitHub and Bitbucket tokens have been exposed means someone now has many different points of entry because that person can now access those repositories.
The attack surface has shifted from directly tampering with the officiall image on Docker Hub to potentiallly modifying the code stored on BitBucket and GitHub. If an unrelated developer also references that code on GitHub, then that person is also getting the modified code, and there is a cascading effect.
“Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled auto builds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, all repos on GH they had access to are vulnerable,” security researcher and cryptography expert Kenn White wrote on Twitter.
It isn’t clear at the moment if the tokens actually give attackers write-privileges to Bitbucket and GitHub, or if they were read-only tokens.
Check the Code
Docker “acted quickly to intervene and secure the site” and revoked the exposed tokens. Affected account holders should reset their passwords, and those using autobuilds will need to unlink and relink their GitHub or Bitbucket repositories to Docker Hub, Docker said.
Docker users who use autobuilds should also review security logs for GitHub and BitBucket accounts to find any instances of unusual behavior. They should also view security actions on GitHub and [BitBucket accounts](https:/bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where to check for unauthorized access.
The incident highlights a big challenge with modern software development: developers rely on official repositories to make sure components and libraries are not compromised. Whether it’s npm, [Ruby gems], or in this case Docker Hub, attackers can compromise a large number of downstream projects just be hijacking a handful of high-profile component.
Docker’s customer list includes several high-profile companies, and developers will have to go back and check their revision control history to look for any unauthorized changes.
Microsoft reassured customers its official Microsoft images hosted in Docker Hub have not been compromised. “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case,” wrote Steve Lasker, a program manager for the Azure Container Registry team at Microsoft.
Docker said none of its official images have been compromised. “We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image," the company said.
Using images from Docker Hub (and Microsoft) is a “critical part of today’s cloud native development,” Lasker wrote, but warned that developers still needed to create a buffer between production environments and image files.
“Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls,” Lasker recommended.