Container images shared on Docker Hub are leaking sensitive data in the cloud, to the tune of tens of thousands of secrets. And attackers are scooping these up to be used to compromise a wide range of hosts.
Because coding an application and deploying it into another environment can cause errors, developers combine everything together — files, libraries, and dependencies — to be put in containers in the cloud. This makes it easier to create applications that can work across systems. Docker images are a common source for this method of programming, and Docker Hub has millions of private repositories, automated builds, official images provided by Docker, and webhooks that "trigger actions after a successful push to a repository to integrate Docker Hub with other services."
In a study conducted by researchers at RWTH Aachen University in Germany, it was discovered that the ease with which the Docker framework allows containerization could lead to sharing private keys or API secrets, thus compromising the security of anyone who created or is using the image. The researchers uncovered 52,107 private keys in misconfigured containers, as well as 3,158 leaked API secrets.
They also found that the leaked keys were already being used in the wild. There were 1,060 certificates that used compromised keys, and 275,269 TLS and SSH hosts using "leaked keys for authentication."
"This widespread usage allows attackers to eavesdrop on confidential or alter sensitive information, e.g., from the IoT, webpages, or databases," according to the report.
To boot, the researchers found 216 exposed Session Initial Protocol (SIP) hosts for telephones, and 8,165 SMTP, 1,516 POP3, and 1,798 IMAP servers used for emails. These have security implications around Internet-based communications, as these hosts can fall victim to impersonation attacks, allowing threat actors to eavesdrop as well as transmit and alter data.
In conducting this study, the researchers analyzed 337,171 images from Docker Hub as well as 8,076 from private registries.