Exposed Kubernetes Secrets Allow Hackers to Access Sensitive Environments

Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. 

Besides this, hackers often target Kubernetes due to its widespread adoption, making it a valuable attack vector for compromising and controlling distributed systems. 

Security vulnerabilities in Kubernetes configurations can lead to the following:-

• Unauthorized access
• Data breaches
• Disruption of critical services

Cybersecurity researchers at Aqua Nautilus recently discovered exposed Kubernetes secrets in many organizations, posing a severe supply chain attack threat by granting access to sensitive SDLC environments.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Register for Free

Technical analysis

SAP’s system had 95 million artifacts, and not only that, but even top blockchain firms and Fortune 500s were also there.

Kubernetes.io has a Secrets config section, and by default, it stores them in unencrypted form in etcd (API server’s underlying datastore).

There are eight Secret types, and security analysts focus on:- 

• dockercfg
• dockerconfigjson

In this scenario, the exploitation potential varies, as the basic-auth, tls, and ssh-auth need cluster details. Meanwhile, for internal exploits, the service account token is critically valuable.

Eight built-in types of Secrets:-

• Opaque
• kubernetes.io/service-account-token
• kubernetes.io/dockercfg
• kubernetes.io/dockerconfigjson
• kubernetes.io/basic-auth
• kubernetes.io/ssh-auth
• kubernetes.io/tls
• bootstrap.kubernetes.io/token

Security analysts used GitHub API to bypass the 1,000 limit with the help of a recursive search. Besides this, the complex regex targets YAML files with dockercfg/dockerconfigjson and base64-encoded secrets. 

Hundreds of cases were found by analysts in public repositories, highlighting the seriousness of the problem that affects the following entities:-

• Individuals
• Open-source projects
• Large organizations

Researchers found 8,000 GitHub entries with .dockerconfigjson and .dockercfg. After refining the search to the base64-encoded user and password values, 438 records with potential credentials were identified. 

About 46% (203 records) had valid credentials, granting access to registries for pulling and pushing. Many registries contained private container images. 

Stakeholders were notified to address the exposed secrets. The dockerconfigjson field in Kubernetes stores Docker registry access credentials, enabling:- 

• Image pull
• Image push

Exposed registries

Use cases

While analyzing the 203 registries with valid credentials, analysts uncovered cases highlighting risks of exposed registries to organizations or open-source projects, with a focus on:-

• Red Hat
• Quay
• Docker Hub

Here below, we have mentioned all the use cases:-

• Use Case #1: SAP SE artifacts repository
• Use Case #2: Blockchain companies
• Use Case #3: Docker Hub accounts

Mitigations

Here below, we have mentioned all the provided mitigations:-

• Remove from GitHub files containing sensitive information.
• Use a Secrets Management Tool.
• Use Environment Variables.
• Encrypt Data at Rest.
• Audit and Rotate Secrets.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.