Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories

Nov 24, 2023NewsroomCloud Security / Data Protection

Kubernetes Secrets

Cybersecurity researchers are warning of publicly disclosed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks.

“These encoded Kubernetes configuration secrets are uploaded to public repositories,” Aqua security researchers Yakir Kadkoda and Assaf Morag SAYS in a new study published earlier this week.

Some of those affected include two leading blockchain companies and various fortune-500 companies, according to the cloud security firm, which used the GitHub API to retrieve all entries containing . dockerconfigjson and .dockercfg, which store credentials for accessing a container image registry.

Cybersecurity

Of the 438 records that potentially have valid credentials for registries, 203 records – about 46% – have valid credentials that grant access to individual registries. Ninety-three of the passwords were manually set by individuals, as opposed to 345 that were generated by computers.

“In most cases, these credentials allow for pull and push privileges,” the researchers said. “Also, we often discover private container images within many of these registries.”

In addition, almost 50% of the 93 passwords were considered weak. These include password, test123456, windows12, ChangeMe, and dockerhub, among others.

Kubernetes Secrets

“This highlights the critical need for organizational password policies that enforce strict password generation rules to prevent the use of weak passwords,” the researchers added.

Aqua said it also found instances where organizations failed to remove secrets from files committed to public GitHub repositories, leading to inadvertent exposure.

But on a positive note, all credentials related to AWS and Google Container Registry (GCR) were found to be temporary and expired, making access impossible. In the same vein, GitHub Container Registry requires two-factor authentication (2FA) as an additional layer against unauthorized access.

Cybersecurity

“In some cases, the keys are encrypted and thus have nothing to do with the key,” the researchers said. “In some cases, while the key is valid it has limited privileges, usually to drag or download a specific artifact or image.”

According to Red Hat’s State of Kubernetes Security Report released earlier this year, vulnerabilities and misconfiguration emerged as the top security concerns in container environments, with 37% of the total 600 respondents identifying revenue/customer loss as a result in containers and Kubernetes security incidents.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment