NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

Unauthorized Access to Docker Exposes Thousands of Users

Last week, Docker announced that they had discovered a breach of part of the database which backs the Docker Hub. In their statement, Docker wrote, “During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds.” The statement goes on to detail that Docker has invalidated the password hashes of the affected accounts and also revoked access tokens for linked GitHub accounts with autobuild enabled, and provided suggestions for how to relink an affected GitHub or Bitbucket account.

What we don’t know yet is how long this “brief” period of unauthorized access lasted. We don’t know how the hashed passwords were hashed (or if they were salted, which matters). We don’t know how many users of the 190,000 were actually affected, and only time will tell if the impact included compromise of code in linked GitHub or Bitbucket accounts. Not great.

What we do know is that none of the official image repositories on the Docker Hub were affected. While this last part is certainly good news, this incident as whole highlights a number of problems—a number of them not unique to Docker.

Blind trust in the toolset

As technology has shifted more and more into the cloud, new services are built that make the old challenges of integrating diverse systems and services easy. A few clicks in service D, a couple more in service G, and now all my Docker images are autobuilt anytime I make a change to them. This level of integration and automation is wonderful and makes us all more productive. However, it also brings with it high potential risk and serious cost. The overall security of such an integrated cloud services-enabled landscape is only as strong as the weakest link. When requests for MFA have gone unanswered for almost four years, careful consideration must be given to the process of allowing that platform to have write access to your source code.


Stay on the cutting edge. Subscribe to our blog.


These risks are not unique to Docker Hub, and as technology has grown and evolved, more and more of the baseline code and images we use are pulled, effectively, from unvetted sources on the public internet. Is the Docker image you pulled into your environment from a repo that was compromised? Is there now undetected malicious code in the image? We’ve traded security and trust for velocity and ease of use.

Building Trust

What can be done to restore trust to our workflows? Our services? Our automated build pipelines? Our services and applications? In the case of Docker, there are a few steps that make sense and will improve the security of your containers.

  1. Build your own images. Start with a base OS and add your applications and services on top of that.
  2. Scan your images as part of your image build pipeline. Open source tools such as Clair and Anchore make this a straightforward task.
  3. Use Notary from the Cloud Native Computing Foundation (CNCF) to sign your container images.

Those items are a great start to running secure and trusted containerized workloads in your environment. Last is to implement zero trust networking and only allow trusted applications to communicate on your network, containerized or not. We at Edgewise Networks can help with that and would love to talk about how.

 

Sean Lutner, Infrastructure Architect

Written by Sean Lutner, Infrastructure Architect

Sean is the Infrastructure Architect at Edgewise, responsible for all the things that make the Edgewise platform performant, scalable, and secure behind the scenes. With nearly two decades of experience in positions contributing to and leading infrastructure and security teams at a diverse range of companies spanning many industries, he brings the viewpoint of the customer with him to the Edgewise product.