Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2018
05:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Exposed Container Orchestration Systems Putting Many Orgs at Risk

More than 22,600 open container orchestration and API management systems discovered on the Internet.

New research confirms that many organizations are deploying workloads to the public cloud without adequate security controls and processes in place first.

Lacework recently used the Shodan search engine, SSL data mining techniques, and some internally developed tools to uncover as many as 22,672 open container orchestration dashboards and API management systems on the Internet. The applications that Lacework discovered during its research were Kubernetes, Mesos Marathon, Swagger API, Red Hat Openshift and Docker Swarm's Portainer and Swarmpit.

Some 95% of the exposed dashboards and management systems were hosted inside of Amazon Web Services. More than half of those exposed services were hosted on AWS regions in the US. Though a vast majority of the open container orchestration interfaces had credentials for controlling access, the fact that they were exposed to the Internet at all is troublesome, says Dan Hubbard, chief security at Lacework.

The dashboard provides top-level access to all the functions required to manage and administer container clusters. Anyone with access to the dashboard can carry out tasks like starting and stopping workloads, adding or modifying applications and setting key security controls.

Container management interfaces that are not properly configured and are exposed on the Internet pose a major risk for enterprises. "Even with credentials set up, information related to the organization might be disclosed," Hubbard points out. This includes information contained in host headers or SSL certificates. Lacework researchers, for instance, were relatively easily able to derive company names from certificates and hostnames without even having to access the exposed container interfaces.

Weak authentication schemes - like inadequate credential requirements - can allow an attacker to brute-force the password of an exposed container management interface. Similarly, not using SSL can allow an attacker to gain access via clear text authentication. Any vulnerabilities in the container application itself are also likely to be easier to exploit via exposed management dashboards.

Lacework's research also uncovered some 300 container management dashboards with no authentication at all, giving attackers a way to easily spin up and stop containers, delete or destroy information, and harvest data about the infrastructure, Hubbard says. Such completely open dashboards also give attackers a way to potentially move laterally to other cloud resources, log into cloud instances and launch new instances for abuse like Bitcoin mining and DDoS. In addition, attackers can exploit the dashboards to set up a backdoor or to drop malicious code for performing command-and-control and other activities.

Because Kubernetes is currently one of the most popular and fastest-growing container orchestration and management systems, Lacework researchers decided to drill down into some of the issues related to the use of these dashboards in public clouds. Although Kubernetes comes with security features like default SSL use and default authentication, Lacework researchers discovered many open Kubernetes dashboards that were still in the process of being set up; dashboards with no authentication; dashboards that could be brute-forced and those that were leaking information about the organization.

Researchers also discovered 38 servers running a container health check service called "healthz" for Kubernetes environments, live on the Internet with no authentication at all. Besides potentially giving attackers a way to potentially perform full remote code execution capabilities, the app also provides a way to monitor workloads and stop them from running via the dashboard.

The data highlights the need for organizations to follow fundamental security best practices when deploying containers in the public cloud. Examples include protecting them behind a proxy, using multifactor authentication and role-based models to control access, and enforcing the use of SSL, Hubbard says. Limiting the scope of what you can do via a management interface is also a good idea. For example, it is not a great idea to have one management hub for all workloads because if one pod is compromised, all workloads get put at risk, he says.

"The general theme of our discoveries is that there needs to be a bridge in communication, process, and technology between DevOps and security," Hubbard notes. "The operating model here is very different and that needs to be acknowledged."

Related Contents:

  

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.