Researchers at Aqua Security are calling urgent attention to the public exposure of Kubernetes configuration secrets, warning that hundreds of organizations and open-source projects are vulnerable to this “ticking supply chain attack bomb.”
In a research paper, Aqua researchers Yakir Kadkoda and Assaf Morag said they found Kubernetes secrets in public repositories that allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat.
“Among the companies were SAP’s Artifacts management system with over 95 million artifacts, two top blockchain companies, and various other fortune-500 companies.”
These encoded Kubernetes configuration secrets were uploaded to public repositories,” the researchers warned.
Kubernetes secrets are essential for managing sensitive data within the open-source container orchestration environment. However, these are often stored unencrypted in the API server’s underlying datastore, making them vulnerable to attacks.
The Aqua research team said it focused on two types of Kubernetes secrets — dockercfg and dockerconfigjson — that store credentials for accessing external registries and used GitHub’s API to identify instances where Kubernetes secrets were inadvertently uploaded to public repositories.
“We uncovered hundreds of instances in public repositories, which underscored the severity of the issue, affecting private individuals, open-source projects, and large organizations alike,” the team said.
From the research paper:
“We conducted a search using GitHub’s API to retrieve all entries containing .dockerconfigjson and .dockercfg. The initial query yielded over 8,000 results, prompting us to refine our search to include only those records that contained user and password values encoded in base64. This refinement led us to 438 records that potentially held valid credentials for registries.
Out of these, 203 records, approximately 46%, contained valid credentials that provided access to the respective registries. In the majority of cases, these credentials allowed for both pulling and pushing privileges. Moreover, we often discovered private container images within most of these registries. We informed the relevant stakeholders about the exposed secrets and steps they should take to remediate the risk.”
The Aqua team said it found that many practitioners sometimes neglect to remove secrets from the files they commit to public repositories on GitHub, leaving sensitive information exposed.
“[They are] merely a single base64 decode command away from being revealed as plaintext secrets,” the researchers warned.
In one case, the team said it discovered valid credentials for the Artifacts repository of SAP SE that provided access to more than 95 million artifacts, along with permissions for download and limited deploy operations.
“The exposure of this Artifacts repository key represented a considerable security risk. The potential threats stemming from such access included the leakage of proprietary code, data breaches, and the risk of supply chain attacks, all of which could compromise the integrity of the organization and the security of its customers,” the company said.
Aqua said it also found secrets to the registries of two top-tier blockchain companies and valid Docker hub credentials associated with 2,948 unique container images.
Related: ‘Secrets Sprawl’ Haunts Software Supply Chain Security
Related: Kubernetes Vulnerability Leads to Remote Code Execution
Related: PyPI Packages Found to Expose Thousands of Secrets
Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor
