A core tenet of software supply chain security is to know what code is doing and where it came from before incorporating it into a software project. Application development teams have to be aware of the risk of downloading and running outdated software components with known vulnerabilities. That same mindset is a necessary one for container images, as well.
Threat analysis firm Prevasio scanned the entire DockerHub and found that 51 percent of all container images had at least one critical vulnerability and 13 percent had at least one high-severity vulnerability. Just 4 percent of the images had at least one moderate-severity vulnerability. In the same analysis, Prevasio researchers identified 6,433 images that were malicious or potentially harmful.
The majority of large enterprises implement Docker containers in "some form," said Alex Eckelberry, a security expert and advisor to Prevasio. “With containerization now ubiquitous, the attack surface has increased exponentially."
Malware in Containers
If a company’s developer takes a shortcut by fetching a pre-built image, instead of composing a new image from scratch, there is a viable risk that such pre-built image might come pre-trojanised," the Prevasio researchers warned. "If such image ends up in production, the attackers may potentially be able to access such containerized applications remotely via a backdoor.
Cryptocurrency miners were found in 44 percent of the malicious Docker images, making them the most common type of malware found in containers in Prevasio’s analysis. About 23 percent contained an npm package flatmap-stream, a Bitcoin wallet stealer. About a fifth of the malicious images, or 20 percent, contained various hacking tools such as post-exploitation frameworks that provide attackers with backdoors. Researchers found images with backdoored versions of widely used applications such as WordPress content management system, Apache Tomcat web application server, and the Jenkins CI/CD tool.
“While most of the reported containers contain cryptocurrency miners, there are also a fair amount of ‘trojanized’ images of popular platforms, such as WordPress, Apache Tomcat, or Jenkins. Enterprises that have embraced Docker must be aware of these threats in order to protect their organizations and data,” said Rony Moshkovich, CEO of Prevasio.
Just for context, the number of malicious or potentially harmful images accounted for just 0.16 percent of the entire Docker Hub registry.
Malicious container images used a lot of cross-platform code, in particular GoLang, .NET Core and PowerShell Core, to take advantage of the fact that containers make it possible to run applications on different platforms. Researchers found more than 400 examples (with nearly 600,000 pulls) of weaponized Windows malware which would run on Linux machines.
“Malicious code they [attackers] write does not have to be written multiple times for multiple platforms. It can be written once, and run everywhere, including Linux containers,” the researchers said.
Vulnerable Code in Images
The vulnerabilities in the images came about because the containers relied on outdated software components. Container images contain the application, the underlying operating system elements, and supporting frameworks. The point of using containers is so that developers and administrators don’t have to manage all the individual components required to run the application.
“The design and security practices of the team creating the original container image have a direct impact on the security of the resultant system,” said Tim Mackey, Principal Security Strategist, Synopsys CyRC. Developers are implicitly stating that they trust the security practices of the publisher of the container image they are downloading from DockerHub. That level of implicit trust is “risky.”
“Do you trust that a third-party development team has followed security practices that are at least as stringent as those you expect your own team to follow?” Mackey said.
It is far quicker (and easier to create a pre-built Docker image containing an instance of MySQL than manually installing and configuring the database server. However, if publishers aren’t keeping the images up-to-date with the most recent versions of the components, then those container images become part of the problem. Publishers need to be regularly updating containers and administrators should be regularly scanning the images for vulnerabilities.
The results of Prevasio’s scan echoes Sonytpe’s sixth annual State of the Software Supply Chain Report from August. In Sonatype’s analysis, at least 11 percent of open-source components consumed by developers contained at least one known vulnerability.