Research reveals 250m artifacts and 65k container images exposed
Research has revealed that 250 million artifacts and 65,600 container images that were exposed via thousands of misconfigured container images, Red Hat Quay registries, JFrog Artifactory and Sonatype Nexus artifact registries.
The research was performed by Aqua Security’s security research team, Aqua Nautilus, and found that many of the artifacts and container images contained highly confidential and sensitive proprietary code and secrets, leaving five Fortune 500 and thousands of other companies at risk.
Registries and artifact management systems are prime targets for threat actors as they are crucial elements within the software supply chain.
Some organisations open their container and artifact registries to the outside world deliberately, but they are sometimes unaware of, or unable to control, sensitive information and secrets that leak into these registries.
When attackers are able to gain access, they can potentially exploit the entire software development life cycle (SDLC) toolchain and its stored artifacts.
The research showed that, in some cases, organisations have failed to secure these environments properly. In other cases, sensitive information leaked into open source spaces, leaving them exposed to the internet and vulnerable to exploitation.
“We began our research with the goal to better understand misconfigurations in registries, the companies behind these misconfigurations and how a skilled attacker would take advantage of exposed and misconfigured registries,” says Assaf Morag, Lead Threat Researcher, Aqua Nautilus.
“The findings were both surprising and highly concerning. Given the magnitude of the risks we uncovered, we set out to find and alert the impacted companies.”
There are several other findings that Aqua Security’s research found. Sensitive keys, including secrets, credentials or tokens, were found on 1,400 distinct hosts. Private sensitive addresses of end-points were also found on 156 hosts.
Fifty-seven registries were found with critical misconfiguration, and 15 of these allowed admin access with the default password.
The research also detected more than 2,100 artifact registries with upload permissions, which may allow attackers to poison the registry with malicious code.
In some cases, sensitive information, such as secrets, keys, and passwords, could be gained that could be used to launch a severe software supply chain attack.
Importantly, this research impacted companies globally, ranging from small to large organisations - including two large cyber security vendors.
One Fortune 500 company that was affected is IBM. The company had an internal container registry exposed online and was quick to close internet access to the environments, mitigating the risks after Aqua Security’s research was disclosed. Other potentially impacted organisations included Alibaba, Siemens and Cisco.
The research showed that many organisations did not have a responsible disclosure program in place, which allows security researchers to report potential vulnerabilities. Organisations with a responsible disclosure program could fix a misconfiguration in less than a week.
“These findings by Aqua Nautilus highlight the need for increased awareness regarding software supply chain security best practices among developers and application security teams,” adds Katie Norton, Senior Research Analyst, DevOps & DevSecOps, IDC.
“The explosion in code and use of open source, coupled with DevOps practices in rapid application development and delivery has left organisations behind and needing to catch up in terms of governance, security controls, and education.”
The Aqua Nautilus researchers had some recommendations for security teams that they should act on immediately:
- Check if any registries or artifact management systems are exposed to the internet.
- If the registry is connected to the internet by design, check that the version isn’t critically vulnerable and that you are not using the default password. Then verify that the passwords are strong enough and regularly rotate passwords.
- In addition, verify that the anonymous user is disabled. If the anonymous user is purposely enabled, verify minimal privileges and regularly scan your public artifacts in your repository to verify they do not contain any secrets or sensitive information.
- Rotate any secrets that may have been exposed.
“Our findings illustrate how easy it is for an attacker to compromise an organisation’s SDLC as well as underscore the serious threat of overlooking simple configuration errors,” continues Morag.
“Moving forward, security teams should ensure they have responsible disclosure programs in place and invest more in detecting and mitigating threats to the software supply chain.”