Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jonathan Gonzalez, Principal Technical Security, John Hogoboom, Lead Technology Security, AT&T and Jim Clausing, Principal Member of Technical Staff, AT&T.
Jonathan: Twenty percent of the top 1,000 Docker images have at least one high vulnerability.
Jim: Jonathan, I understand you have a story on vulnerable Docker containers.
Jonathan: Yes, Jim. Thank you. Actually, I'm going back in time a little bit. Two months ago when I was last here, I brought up a story about Alpine Linux and the root account having an empty password. Well, it seems Jerry Gamblin from Kenna Security was inspired to try to figure out how many more there were. He started trying to figure out things like, "How do I scan a Docker image from Docker Hub?"
Around the same time, in May, a group from Japan made an open source application called Trivy which allows you to pull a Docker image from the hub or a private registry and actually scan, run, extract the contents of it and find out what vulnerabilities are running at the OS level or even in some applications. I think they are covering Node and NPM applications and Yarn, and others. The researcher was saying, "Perfect, the tool that I need to be able to run, to find out what's going on in these images." He ran this tool through, the ~ top 10,000 most pulled images in Docker and put the results out on the web. The website is vulnerablecontainers.org.
John: That might be a good thing if you're big in the Docker space and you're making your own containers and images that you use as part of your production process to identify if you have any vulnerabilities in a container that you're building or using.
Jonathan: One of them he mentioned on Twitter that is a little scary is Ruby on Rails, which is very popular. There was an image called Rails that was deprecated about two years ago. Two years' worth of vulnerabilities in the OS and everything else - and people are kinda still pulling from it. Docker officially moved it to a new image called Ruby. But if you aren’t aware that the name changed...
John: That’s confusing.
Jonathan: Correct. And kind of misleading, because you can get the latest tag and keep pulling the latest image, but if they haven't updated in two years...
John: And they moved it to a different name…
Jonathan: The researcher points out that there's no clear way for someone pulling the image to know that it's been deprecated unless you go to Docker Hub and see the description that says deprecated, right?
John: Right, right.
Jonathan: So hopefully, they're talking about putting something in the command line to tell you, "Hey, stop using this," "Rails is deprecated, grab the latest from Ruby."
John: Right, right. Interesting.
Jonathan: You know, millions of downloads, millions of pulls. You can keep pulling what you think is the latest but in reality, no updates coming.
John: So I think there's room in the Docker community to make users of Docker containers more aware of a potential issue with the container that they're importing or pulling in.
Jonathan: Please check out the list that Jerry Gamblin released of all these vulnerable Docker images - it's a lot. A lot of images that are maybe running an old OS or running vulnerable applications. This tool might help you have a better idea of what you're using in your environment.
John: Right. I was looking at the article, and I noticed that they said, "Over 20% of them contained at least one vulnerability that'd be considered high risk." As an attacker, I’d be interested in knowing which of these containers have remotely exploitable vulnerabilities so I could go try to find more of them on the internet and things like that. I haven't looked at their website to see how they score these, but they have their own risk scores.
Jonathan: Yes, I think Kenna Security has their own risk score, and it's some value between 0 and 1,000. So there is a column for that, and I think if you see something with a Kenna score of 600 or more, you should really figure out how to either patch that or use whatever version is the latest for that specific image.
Jim: With Docker, you're containerizing it, but you're mostly worried about your applications that you build on top of multiple other Docker images. How many people pay attention to the patches that are getting applied to the images that they're building on top of?
John: Right. You forget that these things get updated so quickly - maybe if you use a tool like this where it shows you your image actually has X amount of issues, updates with this latest one, it would be a useful warning. Definitely, something to keep an eye on. Docker, containers, and containerization have become really hot over the past couple of years. It really has taken a lot of the market share over virtualization because they're lighter weight and you can do more. So, thanks, Jonathan.