Public Repositories Reveal Kubernetes Secrets of Fortune 500 Companies

Cybersecurity experts have recently highlighted a significant risk involving Kubernetes configuration secrets that were mistakenly made public, potentially exposing organizations to supply chain attacks.

A report from Aqua Security researchers Yakir Kadkoda and Assaf Morag, published this week, revealed that sensitive Kubernetes configuration secrets had been inadvertently uploaded to public repositories. This exposure includes secrets from two leading blockchain companies and various Fortune 500 firms.

The researchers utilized the GitHub API to scan for entries containing .dockerconfigjson and .dockercfg files. These files typically store credentials needed to access container image registries.

Out of 438 records potentially containing valid registry credentials, the researchers discovered that 203 – roughly 46% – indeed had valid credentials granting access to the corresponding registries. A notable finding was that while 93 of the passwords were set manually by users, a larger number of 345 passwords were generated by computers.

The implications of this access are significant, as the researchers pointed out that in most cases, these credentials allowed for both pulling and pushing privileges to the registries. Additionally, they often found private container images within many of these registries, which could be of particular concern.

Alarmingly, about half of the 93 manually set passwords were considered weak. Examples of these weak passwords include easily guessable choices like 'password', 'test123456', 'windows12', 'ChangeMe', and 'dockerhub'. The prevalence of such weak passwords in critical infrastructure components underscores a serious lapse in cybersecurity practices.

The research from Aqua Security highlights a crucial need for organizations to implement robust password policies that mandate stringent password creation guidelines. This step is essential to prevent the use of weak and easily compromised passwords.

In their study, Aqua Security also observed instances where organizations unintentionally exposed sensitive information by failing to remove secrets from files before committing them to public GitHub repositories. This oversight can lead to significant security risks.

On the brighter side, the investigation revealed that all credentials related to AWS and Google Container Registry (GCR) were temporary and had expired, negating the possibility of unauthorized access. Additionally, the GitHub Container Registry implemented two-factor authentication (2FA), providing an extra layer of security against unauthorized access.

The researchers noted that in some cases, keys were encrypted, rendering them unusable. In other instances, while keys were valid, they had limited privileges, often restricted to pulling or downloading specific artifacts or images.

The findings align with concerns raised in Red Hat's State of Kubernetes Security Report earlier this year. The report, based on responses from 600 participants, identified vulnerabilities and misconfigurations as the primary security challenges in container environments. Notably, 37% of respondents reported experiencing loss of revenue or customers due to security incidents involving containers and Kubernetes. This statistic underscores the importance of maintaining robust security practices in the management of containerized environments.