Critical Security Flaws Lurk Inside 20% of Docker Container Files

Source :- sdxcentral.com

A majority of the most popular Docker container files contain at least one notable security vulnerability, while one in five houses what is considered a critical security flaw, according to research from Kenna Security.

The research, compiled by Jerry Gamblin, principle security engineer at the firm, scanned the top 1,000 containers in the Docker Hub. It found that some of the most frequently used containers had more than 100 million pulls, or downloads, and that those containers had “hundreds of open CVEs.”

CVE stands for Common Vulnerabilities and Exposures, and it is a list of standardized names for security vulnerabilities.

“Many of the containers had at least one CVE labeled with a CVSS score that identified them as high risk,” Gamblin wrote.

CVSS is the Common Vulnerability Scoring System, which provides a numerical score from 0 to 10 for security vulnerabilities. A CVSS base score up to 3.9 is considered “low” severity; a score of from 4 to 6.9 is considered a “medium” severity; and a score from 7 to 10 is considered a “high” severity.

Gamblin then added in his company’s own “Kenna Risk Score,” which he explained “correlates variables such as exploitability and attacker activity, to provide a more accurate picture of risk.” That system scores vulnerabilities based on a scale from 0 to 1,000, with those below a score of 330 considered “low risk,” scores between 330 and 660 considered a “medium risk,” and those between 660 and 1,000 considered a “high risk and should be immediately remediated.”

That data found more than 60% of the top Docker files had a Kenna score of at least 330, and more than 20% scored higher than 660.

Gamblin did note that those Docker container files containing the most vulnerabilities were typically the oldest files and “appear to be abandoned or are otherwise EOL’ed (end of life).” That would indicate that maintainers had moved on from those files and were no longer adding security updates.

He did note that organizations need to be aware of where they are getting their Docker files from and to make sure they are updating those files with the most up-to-date security posture.

“If an organization is using a container with a large number of open, high-risk vulnerabilities, they should be concerned with patching the vulnerabilities, building their own container, or migrating to a better maintained one,” Gamblin noted in an email to SDxCentral.

Code Issues
Rani Osnat, vice president of product marketing at Aqua Security, in an email response to questions said that while he has not dug into the Kenna Security report, vulnerable images “are not a Docker security issue – they are flaws in the code that Docker runs not in the Docker code itself.”

“Known vulnerabilities in container images continue to be a key concern for anyone using containers, and they should be because they are the easiest thing for attackers to exploit,” Osnat added.

Osnat said that while vulnerabilities do exist, “it’s quite easy to scan for vulnerabilities automatically, and it’s highly recommended to do so in multiple phases of the CI/CD pipeline and in container registries.” He suggested that organizations should also use “compensating controls during runtime to ensure that vulnerabilities that exist in their production environment – because a fix was either unavailable or wasn’t easy to apply – would not be exploited by attackers.”

“Such runtime controls include vulnerability shielding for containers, drift prevention that blocks new code from being injected into containers, and behavioral whitelisting that learns the container behavior to detect and prevent anomalies,” Osnat noted.

Recent Flaws
Aleksa Sarai, a senior software engineer at SUSE, discovered a significant Docker container security flaw in May. The CVE-2018-15664 bug allowed access attacker to API endpoints behind the docker cp command that would allow an attacker to read and write data on a host machine. The docker cp command copies code between a container’s local file system and the local machine.

“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing ‘docker cp’ on running containers),” Sarai wrote after discovering the vulnerability. Sarai did note that he had submitted a patch upstream that is undergoing code review.

“Organizations should not assume that a container is secure because it’s hosted on Docker,” Gamblin wrote, adding that, “ultimately, the goal of this project is to shine a light on these containers and educate its users on potential risks to drive better security practices.”