Countless numbers of misconfigured artifact repositories and container picture registries have been learned by researchers, exposing organizations to most likely significant software package supply chain assaults, in accordance to Aqua Nautilus.
The security vendor found that around 250 million computer software artifacts and extra than 65,000 container photographs had been uncovered in this way, putting at risk some of the world’s premier businesses, which includes various Fortune 500 companies.
Usually artifact management devices and container registries are intentionally connected to the internet and enable anonymous customers to join so that world-wide stakeholders can entry open source computer software. However that’s not often the situation.
The report shed light-weight on cases where by “restricted environments are accidentally shared with anonymous users” and other examples where by teams “accidentally publish sensitive info to community regions.”
Read far more on software source chain pitfalls: Program Offer Chain Assaults Soar 742% in Three Years.
The misconfigurations uncovered by the Aqua Nautilus workforce provided mistakenly connecting registries to the internet, exposing strategies to general public registries, employing default passwords and granting abnormal privileges to end users. It also located situations of non-public container image registries that had been misconfigured to enable anonymous access, or even ones that had it constructed in as a aspect.
“We uncovered 57 registries with critical vulnerabilities this sort of as default admin passwords, out of which 15 registries permitted admin access with the default password,” the report noted. “We detected extra than 2100 artifact registries with add permissions, which may well let an attacker to poison the registry with destructive code.”
Modest, medium and big organizations around the world had been uncovered in this way, like 10 Fortune 500 companies – 5 of which had registries that contains highly sensitive facts that was uncovered or allowed nameless access. The scientists also located two cybersecurity companies with uncovered secrets and techniques in their registries.
Aqua Nautilus encouraged companies mitigate the hazards to their cloud-native environments by:
- Securing repositories with network controls like VPNs or firewalls
- Introducing powerful authentication and authorization this kind of as solid passwords and two-component authentication
- Regularly rotating keys, credentials and strategies
- Utilizing the very least privilege obtain controls, restricting obtain to certain repositories and artifacts as required
- Consistently scanning for sensitive info, including recognised vulnerabilities and strategies, and conducting regular security assessments of repositories
Worryingly, though some sellers contacted by the scientists were keen to interact and take corrective motion, other “major corporations” dismissed their warnings, the report claimed.
Some parts of this article are sourced from:
www.infosecurity-magazine.com