Yesterday (26/09/18) The Register released a post about “an exposed Docker server lands internal source code, config files on public internet“. Despite the incident being of great severity – this publication did not surprise us.
In 2017, Twistlock Labs uncovered hundreds of exposed instances of Docker Registry services and also for Dockerd (Docker daemon, e.g the docker management process), we presented the findings at DockerConEU17, in my talk “Real World Security: Software Supply Chain” with Docker’s senior security engineer, David Lawrence. We later approached the companies that we could identify as the owners of the exposed registries in order to responsibly disclose this weakness in private.
Since that time, Twistlock Labs has focused on how developers around the world build and deploy cloud native applications, and how these applications are maintained and operated by companies around the world.
When revisiting the issue, our recent findings show that there are actually less Docker services that are exposed to the public today – to be more specific, we saw a decrease of 35% since the original survey. But this recent news shows that the issue persists and even magnifies with other type of registries and services.
Falco Vulnerability – CVE-2019-8339Read the Blog
Unpacking Envoy Vulnerabilities (CVE-2019-9900 and CVE-2019-9901) and How it Impacts IstioRead the Blog
Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101Read the Blog
Breaking out of Docker via runC – Explaining CVE-2019-5736Read the Blog