Home Security News Exposed: The Hidden Dangers of Kubernetes Configuration Secrets and How to Protect Your Organization

Exposed: The Hidden Dangers of Kubernetes Configuration Secrets and How to Protect Your Organization

Posted: November 28, 2023

a group of blue squares

Discovery of Kubernetes Configuration Secrets Exposure

After conducting exhaustive research, Aqua Security's Team Nautilus discovered a critical issue about Kubernetes Configurations. The team found that Kubernetes secrets, important configuration access, and permissions sets were left exposed publicly on different open-source repositories.

It was reported that numerous Kubernetes configurations were found leaking sensitive secrets during the scanning of Docker Hub and GitHub. This issue affects many organizations and open-source projects that utilize Kubernetes. This unintended and unfortunate exposure of secrets can provide unauthorized individuals with access to confidential and sensitive information, potentially leading to devastating security breaches.

Research by Aqua Security reveals public exposure of Kubernetes secrets

Team Nautilus’s research findings reveal that developers frequently unknowingly commit sensitive Kubernetes secrets into their repositories’ code archives. The security issues became apparent after the team scanned over four million Helm charts and Docker images. These contained valuable configurations and secrets associated with popular services such as AWS, Google Cloud, Azure, Slack, Stripe, and more.

Sensitive details were found exposed in these configurations, including API tokens, usernames and passwords, database URLs, keys, and other confidential information. The exposed secrets pose a security risk for the impacted organizations and services and may be exploited by malicious actors for unauthorized access or even cyber-criminal activities.

The high risk of a severe supply chain attack

The unintended exposure of Kubernetes secrets signifies a major security risk, which has the potential to culminate into a severe supply chain attack. The exposure can be exploited by malicious hackers who could gain unauthorized access to these secrets and, in turn, compromise the related applications, systems, or entire infrastructures.

Supply chain attacks are particularly dangerous because they exploit the trust relationship between software developers and their users. If a hacker can commit malicious code using the stolen secrets, this malicious software may readily get accepted by end-users, considering the trusted source. This can result in a severe supply chain attack, leading to widespread breaches and potentially damaging an organization's reputation and business operations.

Focus on two types of Kubernetes secrets: dockercfg and dockerconfigjson

During their research, Aqua Security's team specifically focused on the two primary types of Kubernetes secrets: dockercfg and dockerconfigjson. These secrets are Kubernetes objects that store docker registry credentials but are frequently used to store other types of secrets. The team revealed that these secrets when committed unknowingly into repositories' codes, expose sensitive data and provide an opportunity for unauthorized access.

Use of GitHub's API to identify inadvertent uploads of Kubernetes secrets to public repositories

In an ingenious use of GitHub's API, Aqua Security's research team detected inadvertent uploads of Kubernetes secrets to public repositories. They wrote a simple script using the API that continuously scans GitHub commit history to identify such uploads.

These constant scans, focusing on secret additions, deletions, and changes in the history of commits, proved vital in identifying the public exposure of sensitive Kubernetes secrets. With the increasing popularity of Kubernetes, such scripts that alert developers about potential security risks can be an effective preventative measure against breaches.

Detection of hundreds of instances, including private individuals, open-source projects, and large organizations

The research sparked by Aqua Security led to the detection of multiple instances of public exposure, affecting numerous individual developers, open-source projects, and even large-scale organizations. In many cases, private registry tokens of these organizations were found exposed, providing unsanctioned access into their environment.

The widespread nature of the exposure underscores the immensity of the issue. As Docker images and Helm charts continue to proliferate, the potential for Kubernetes secrets exposure increases, reinforcing the necessity for robust and ongoing security practices.

Examples of Exposed Secrets

The research by Team Nautilus illuminated a series of concerning instances where Kubernetes secrets were exposed. These instances ranged from large enterprises like SAP SE to top-tier blockchain companies and Docker hub accounts associated with thousands of unique container images, thereby revealing the sweeping scale of this security concern.

Exposure of credentials for SAP SE's Artifacts repository with over 95 million artifacts

Among the most noticeable findings was the exposure of credentials for SAP SE's Artifacts repository. This repository, containing over 95 million artifacts, was left vulnerable due to the accidental exposure of Kubernetes' secrets. With these credentials, a malicious entity could have gained unauthorized access and tampered with the artifacts, creating potential breaches in security and trust within the company's software supply chain.

Secrets of two top-tier blockchain companies found

The research also unearthed the secrets of two top-tier blockchain companies. Given the sensitivity and value of the data typically stored in blockchain environments, this breach represents a significant security concern. Intruders gaining access to these secrets could launch highly detrimental attacks such as unauthorized transactions, alteration of records, or potentially gaining control over the entire blockchain network.

Docker hub credentials associated with 2,948 unique container images discovered

Another startling discovery was the detection of Docker hub credentials associated with 2,948 unique container images. The exposure of these credentials provides an entry point for attackers to manipulate container images in the Docker hub, possibly embedding malicious code or compromised components, thereby making all consumers of these images potential victims of supply chain attacks.

This discovery highlights the risks of accidental exposure to Kubernetes secrets. In a world where software supply chain attacks are becoming more prevalent, the exposure of such secrets becomes a pressing concern for cybersecurity. It necessitates a broad review and amendment of existing security practices in repository management.

Current Trends and Urgent Recommendations

Amid the ever-evolving technological landscape, certain practices pose significant threats to information security. With developers often overlooking the removal of secrets committed to public repositories, exposing sensitive information is becoming a noticeable and alarming trend. Tackling this issue requires critical awareness, immediate intervention, and long-term elevation of cybersecurity measures.

Overlooked removal of secrets committed to public repositories on GitHub

According to Aqua Security's revelations, an emerging trend in the tech world is the overlooked removal of secrets committed to public repositories on platforms like GitHub. With the haste of modern development practices, it's easy to overlook or miss the secrets inadvertently committed and pushed to public repositories. This issue is even more pronounced when using Kubernetes, a system that requires multiple configuration secrets.

When these secrets containing crucial sensitive information, are committed to public repositories, they become readily accessible to anyone browsing the repository. This oversight exposes critical data assets to potential intruders and hackers.

The severity of such practices, leading to exposure of sensitive information

The severity of these practices cannot be overstated. The exposure of sensitive information, whether credentials, sensitive tokens, or keys, to cloud environments can lead to many severe security issues. These can be as direct as unauthorized access or alteration of data or as complex as severe supply chain attacks, impacting entire organizations and their clients.

The exposure and subsequent exploitation of these sensitive secrets can lead to considerable damage and disruptions. It threatens the integrity of the code, the trust of the users, and an organization's overall cybersecurity.

The urgent need to inform stakeholders, remediate risk, and elevate cybersecurity measures

The findings underscore the urgency to inform all stakeholders of the potential risks and implement immediate remediation measures. These steps could involve implementing stringent checks during the development process, the use of ‘secrets management’ systems, and revisiting access policies across the organization.

Moreover, organizations need to elevate their cybersecurity measures, ensuring that secrets are not committed to public repositories. Regular training and development of best practices for handling sensitive information within the code should also be prioritized. Ethical hacking or "red teaming" could help identify potential security gaps and preemptively address them.

The exposure of Kubernetes' secrets is a considerable wake-up call for organizations to improve their cybersecurity strategies. It emphasizes the need to remain vigilant against the ever-present and evolving threats in the digital age.