Leading specialists in the field of cybersecurity have expressed concern about the publicly accessible configuration secrets of Kubernetes, which pose a threat to the security of supply chains for numerous organizations. Among the affected companies are two prominent blockchain companies, whose names have been withheld for security reasons, as well as various other Fortune 500 companies.
Researchers from Aqua Security analyzed the encrypted secrets of the Kubernetes configuration, which were found in public repositories. The data used for the study were obtained through the GitHub API, which contained records with secrets such as dockerconfigjson and dockercfg, which store account information for accessing container image registries.
The analysis revealed that out of 438 records potentially containing current account information, 203 records (about 46%) contained relevant data, granting access to these registries. It was highlighted that in most cases, these account details allowed both loading and unloading of information.
Upon examining the reliability of the data, experts found that 93 out of the 438 passwords were manually set by individuals, while the remaining 345 were computer-generated. Alarmingly, almost 50% of these 93 passwords were weak, including commonly used passwords such as “Password,” “Test123456,” “Windows12,” “Changeme,” and “Dockerhub.”
This discovery underscores the critical necessity of enforcing stricter password creation rules within organizations to enhance security measures.
Aqua Security also discovered cases where organizations unintentionally disclosed information by leaving secrets in files sent to public repositories on GitHub.
However, in relation to the AWS and GCR accounting data discovered by the researchers, it was found that these were either temporary or expired, rendering access impossible. The GITHUB container registry ensured an additional layer of protection against unauthorized access through mandatory two-factor authentication (2FA). Thus, the impact of these cases was minimal.
In some instances, certain keys were additionally encrypted, rendering their use impossible. Furthermore, even if a key was valid, it often possessed minimal privileges and could only be used to load specific artifacts or images.
“The potential data leakage, loss of proprietary code, and supply chain attacks serve as a stern reminder of the importance of stringent security measures,” concluded the researchers from Aqua Security. They emphasized the use of temporary tokens, data encryption, restricted privileges, and the implementation of two-factor authentication as sufficient measures to protect container registries.