Containers under attack: What your app sec team needs to know

As a network-penetration expert, Wesley McGrew regularly runs red-team exercises against the networks of his clients, and increasingly he is seeing containerized applications being targeted.

While containers bring the benefits of standardization, isolation, and the principle of least privilege to the development of cloud-based software, they can be a boon for attackers. Containerized applications don't necessarily introduce any new vulnerabilities, but they do present additional attack vectors. 

McGrew, the director of cyber operations at HORNE Cyber, spoke at Black Hat USA about attacking containerized applications. Here are the main ways he and others said attackers compromise containers.

Application Security Research Update: The State of App Sec in 2018

Container vulnerabilities: All about the applications

At last year's Black Hat conference, researchers from Aqua Security reported that they had uncovered a vulnerability that allowed a malicious web page to execute a Docker build, and create—and spread—compromised containers. The attack, which was fixed at the time of the disclosure, could allow an attacker to spread malicious containers after compromising a developer's account.

Such vulnerabilities are rare, however. Much more common are attackers who find ways to exploit vulnerable application components hosted in a container or exploit older containers, said Amir Jerbi, chief technology officer and co-founder of Aqua Security, a container-security firm.

"The attacks are generally not on the containers themselves, but on the applications running in them. The developer is installing all the software pieces in the container, and, because of that, the applications themselves are running with less hardening."
Amir Jerbi

Container-based applications are networks

While getting an initial foothold in a containerized application may be as difficult as finding an entry point into a monolithic application, once an attacker has access, the environment will likely seem familiar. In a containerized application, the components communicate over a TCP/IP network and use REST-based APIs, said HORNE's McGrew.

Rather than having to have all this low-level knowledge of the systems as the attacker, you already have an existing body of knowledge for attacking networks, he said.

"So it lowers the bar for the attacker. They can be more effective against applications than when they were looking at monolithic applications."
Wesley McGrew

However, containers' standardization, and the ability for developers to create an API, also can work in the defender's favor. By creating a model of how the application behaves, defenders can look at the application as a network and detect anomalies, said John Morello, chief technology officer of Twistlock, a container security firm.

"You can create a reference model for what is normal inside an application, so anything outside of that is an anomaly. We can automatically detect any anomalies."
John Morello

Compromised containers can be a gateway

Still, many developers do not manage and maintain their containers adequately. In many cases, a container image may host outdated software that has vulnerabilities. In other, less common cases, the containers may have back-door functionality for mining cryptocurrency or for further compromising cloud infrastructure.

In May, for example, security firm Fortinet discovered attackers using a vulnerability to install containers that had coin-mining software embedded inside. While the containers were likely meant for download only after an attacker successfully compromised a victim's system, the attack had been successful, with more than 100,000 images pulled down to victims' systems.

Between intentionally malicious containers and inadvertently vulnerable containers, defenders need to pay close heed to their configurations, said HORNE's McGrew.

"On one hand, it is so much easier and more lightweight to develop and deploy containers. But it is scary how easy it is to create a Frankenstein of containers connected to each other and create a vulnerable system."
—Wesley McGrew

The golden rule for developers configuring containers—or inspecting publicly available containers—is to check everything, he said.

"They should not expose unneeded services to each other; they should require some sort of authentication to each other," McGrew said. "There should not be any additional functionality for someone to exploit."

Container security pluses and minuses

Once you are in a containerized application, further compromising the software is easier because of the standard way that containers communicate with each other, he said.

"In a monolithic application, you are exploring one large codebase, so you are talking about, perhaps, using memory-corruption vulnerabilities and walking around in memory and disassembling things," he said. "Once you are in the containerized application … then it turns into a penetration test of what essentially is a network, and you can leverage common attack skills—you are just doing it inside of an application now."

McGrew and other experts argued that containers can add more security to applications, but also present some unique opportunities for attackers. Compromising a containerized application usually requires that attackers find a vulnerability in the software installed in the container, whether in the main application or outdated components of the code.

Banjot Chanana, vice president of product for Docker, which develops and maintains the most popular container ecosystem, said the problem was the approach, not comntainers.

"There are many images that are vulnerable, mainly because the person who put them up there had no intention of maintaining them, and they are now stale and not up to date."
Banjot Chanana

In addition, security firms have found container images that host software for mining cryptocurrency. While it's unlikely the developers will be fooled into downloading these images, attackers have already tried to sneak Trojan code into insecure installations of containers.

Topics: Security