A recent study conducted by researchers at the RWTH Aachen University in Germany has uncovered a significant security issue in Docker Hub, the popular cloud-based repository for Docker images. Tens of thousands of container images hosted on Docker Hub were found to contain confidential secrets, including private keys and API secrets, posing a serious risk to software, online platforms, and users.
Docker Hub and Container Images
Docker Hub serves as a repository for the Docker community to store, share, and distribute Docker images. These container images are essentially templates that include all the necessary components to deploy an application in Docker, such as software code, runtime, libraries, environment variables, and configuration files.
The Study Findings
The researchers analyzed a staggering 337,171 images from Docker Hub, as well as private registries, to assess the extent of the problem. Their analysis revealed that approximately 8.5% of the examined images contained sensitive data, such as private keys and API secrets. These secrets are crucial for the security and functionality of various elements, including certificates.
Exposure of Private Keys and API Secrets
Using data analysis techniques, the researchers identified 52,107 valid private keys and 3,158 distinct API secrets in 28,621 Docker images. It’s important to note that these figures were validated by excluding test keys, example API secrets, and invalid matches. The majority of the exposed secrets, 95% of private keys and 90% of API secrets were found in single-user images, suggesting that they were likely unintentionally leaked.
Impact on Docker Hub and Private Registries
The study revealed that Docker Hub had a higher percentage of secret exposure, with 9.0% of its images containing sensitive data. In contrast, images sourced from private registries had a lower rate of secret exposure, at 6.3%. This discrepancy suggests that Docker Hub users may have a poorer understanding of container security compared to those setting up private repositories.
Compromised Certificates and Hosts
The researchers also investigated the actual use of the exposed secrets and discovered alarming results. They found 22,082 compromised certificates that relied on the exposed private keys, including both private CA-signed and public CA-signed certificates. Of particular concern were the 1,060 public CA-signed certificates, which are widely accepted and used by a large number of users. At the time of the study, 141 CA-signed certificates were still valid, reducing the immediate risk.
To assess the real-world impact, the researchers utilized internet-wide measurements from the Censys database and identified 275,269 hosts that relied on compromised keys. These hosts included MQTT and AMQP hosts transferring privacy-sensitive IoT data, FTP, PostgreSQL, Elasticsearch, and MySQL instances serving potentially confidential data, SIP hosts used for telephony, SMTP, POP3, and IMAP servers used for email, SSH servers, and Kubernetes instances.
Implications and Recommendations
The widespread exposure of confidential secrets in Docker Hub images highlights a significant problem in container security. It also underscores the need for greater care in the creation and sanitization of container images to prevent the inclusion of sensitive information.
To mitigate the risks associated with exposed secrets, it is crucial for Docker Hub users and those setting up private repositories to prioritize container security. This includes implementing robust security measures, such as regularly scanning container images for secrets, ensuring proper access controls, and following best practices for secrets management.
By addressing these security concerns and taking proactive steps to protect against the exposure of confidential secrets, the Docker community can enhance the overall security and integrity of containerized applications.