Don’t Want Security Issues? Then Don’t Misuse Your Images and Image Registries!

 In Environment

Ensuring the secu­ri­ty of your con­tain­er envi­ron­ment requires mul­ti­ple steps. One of those that orga­ni­za­tions some­times over­look is defend­ing your con­tain­er images. If you don’t take this into con­sid­er­a­tion, you could leave your­self open to attack.

This blog post will pro­vide a primer on what con­tain­er images are and how they func­tion in your container environment. It will then explain how attack­ers can poten­tial­ly misuse your con­tain­ers to steal your sen­si­tive infor­ma­tion. Finally, it’ll con­clude by explain­ing how you can use Kubernetes to safe­guard your con­tain­er images.

What is a container image?

As defined by TechTarget, a con­tain­er image is a static file that con­tains exe­cutable code includ­ing system libraries, tools and other resources that a pro­gram needs to run in a con­tainer­ized envi­ron­ment. This prop­er­ty allows the con­tain­er image to run as an iso­lat­ed process on IT infra­struc­ture. Not only that, but the con­tain­er image is also com­piled from the file system layers of a base image, thus free­ing you from need­ing to create some­thing from scratch.

Container images are ben­e­fi­cial in that they down­load quick­ly and start instant­ly. As such, these assets con­sumer fewer com­put­ing resources than vir­tu­al machines (VMs). Container images are also inter­op­er­a­ble inso­far as they use open stan­dards and oper­ate across dif­fer­ent infra­struc­ture.

What security risks are involved with containers?

Unfortunately, con­tain­er images aren’t with­out secu­ri­ty risks. Container images may some­times suffer from vul­ner­a­bil­i­ties. IBM pro­vid­ed the exam­ple of how a mali­cious actor could exploit CVE-2019 – 5021, a Docker image vul­ner­a­bil­i­ty, to obtain super-user priv­i­leges within a con­tain­er. Alternatively, they could abuse a vul­ner­a­bil­i­ty in sqlite3 3.26.0 to send a mali­cious SQL com­mand via remote code exe­cu­tion. These and other types of secu­ri­ty flaws could enable a mali­cious actor to gain unre­strict­ed access to a con­tain­er image, move lat­er­al­ly through­out the con­tain­er envi­ron­ment and/or com­pro­mise sen­si­tive data.

Before you con­tin­ue read­ing, how about a follow on LinkedIn?

The secu­ri­ty con­cerns asso­ci­at­ed with con­tain­er images don’t end there, either. Tech Target noted that mali­cious actors can create looka­like images public con­tain­ers to prey upon your orga­ni­za­tion. In this type of attack, a user pulls a con­tain­er image that secret­ly con­tains mali­cious code from a reg­istry. The trick is that the con­tain­er image is actu­al­ly a looka­like of anoth­er pro­gram, mean­ing that the user will be inclined to think it’s legit­i­mate so that they’ll run it on their envi­ron­ment. Using its mali­cious code, how­ev­er, the looka­like image is capa­ble of grant­i­ng attack­ers access to the infect­ed envi­ron­ment so that they can search for sen­si­tive infor­ma­tion.

A sim­i­lar prob­lem arises when the user wants to pull a con­tain­er image from an unknown source. As Kubernetes notes on its website, that’s the equiv­a­lent of run­ning soft­ware from an unknown vendor on one of your pro­duc­tion servers. It’s a risky move, as you have no idea what that con­tain­er image might do. In the worst case, it could adverse­ly affect the organization’s oper­a­tions or empow­er mali­cious actors to access the net­work.

How Kubernetes can help securely use container images

In a blog post, StackRox notes that orga­ni­za­tions should embrace a strong gov­er­nance policy when it comes to using con­tain­er images. This policy should con­sist of sev­er­al ele­ments:

Avoid Pulling Containers from Unknown Sources

Given the threats asso­ci­at­ed with con­tain­er images from unknown sources, you should con­sid­er set­ting up a secu­ri­ty policy that allows you to pull images from autho­rized repos­i­to­ries only. Sqreen goes on to point out that such a policy should also pro­hib­it you from using images that you haven’t ana­lyzed pre­vi­ous­ly.

Scan Your Images for Vulnerabilities

As con­tain­er images often­times suffer from vul­ner­a­bil­i­ties, it’s impor­tant that you be proac­tive about track­ing these secu­ri­ty flaws. One of the ways you can do this is by using a vul­ner­a­bil­i­ty scan­ner that ana­lyzes images that you’ve sub­mit­ted to a reg­istry. There are tools that notify you if your con­tain­er image suf­fers from a vul­ner­a­ble pack­age, explain to you how a mali­cious actor could poten­tial­ly exploit it and guide you through the task of solv­ing those secu­ri­ty issues.

Build a Security Pipeline for Your Container Images

Vulnerability scan­ning and cau­tion around unknown sources should both factor as com­po­nents in a larger con­tain­er image secu­ri­ty strat­e­gy. Kubernetes’ devel­op­ers recommend that you use this type of plan to store approved images within only pri­vate reg­istries so as to limit the number of poten­tial images that could enter your pipeline from pub­licly avail­able sources. You should also use it to vet the code that’s used to build the images and to scan for vul­ner­a­bil­i­ties. If there is an issue, the secu­ri­ty assess­ment should trig­ger an alert that flags the image for review.

Configure Image Signing and Enforcement

Last but not least, it’s a good idea to con­sid­er main­tain­ing a system of trust with your con­tain­ers. You can use a system like Docker Content Trust to make sure there’s a tool in place for sign­ing your con­tain­er images. You should then con­sid­er using a tool to deter­mine that con­tain­er images are signed before they receive autho­riza­tion to enter the clus­ter.

Image sign­ing and enforce­ment through tools can main­tain a system of trust among the con­tain­ers. #cyber­se­cu­ri­ty #respect­da­ta Click to Tweet

CPO Magazine source|articles

Recommended Posts

Start typing and press Enter to search