51% of 4 million Docker images have critical vulnerabilities

Dec. 15, 2020, 9:32 a.m.

TL;DR

Prevasio, a cybersecurity startup, has announced that it has completed the scanning of 4 million container images at Docker Hub. Nearly 51% of the images have critical vulnerabilities, and nearly 6,500 of them can be considered malicious.

A dynamic sandbox system was used by Prevasio to download and build images into the Docker containers

Key Facts

1
According to an analysis by Prevasio, half of all the images available on Docker Hub have critical vulnerabilities due to outdated software. The analysis also revealed that thousands of images are in reality dangerous software, with many of them potentially being attack tools.
2
As per Prevasio, the malicious containers representing nearly 0.16% of the total have been downloaded more than 300 million times. These were classified as malicious due to the presence of malware, hacking tools, cryptocurrency miners, and trojanized applications.
3
The cybersecurity startup also uncovered images with dynamic payloads. It means that the original image does not look malicious, but it has been scripted to run a miner source code when downloaded, compiled then executed.
4
A dynamic sandbox system was used by the same company to download and build images into Docker containers. They then ran the containers to detect vulnerabilities and dangerous behavior.

Details

Prevasio’s report concluded that Linux OS, and Linux containers, in particular, were not immune to security risks. Nearly half of all container images hosted by Docker Hub contained one or more critical vulnerabilities and were potentially exploitable. Only one-fifth of all the images tested by the startup had no disclosed vulnerabilities.

The software supply chain is in greater need of security efforts. More attackers have begun identifying weaknesses and slipping malicious software into employees’ computers, bypassing perimeter security.

Docker adoption has become normal for most enterprise-class complex applications, with several large enterprises implementing Docker containers in some form. Due to containerization available everywhere, the attack surface has increased exponentially. As such, the analysis report of Prevasio should be of great concern to any enterprise customer.

Prevasio warned that if a company’s developer took a shortcut by fetching a pre-built image instead of building one anew, there is a huge risk that the pre-built image may have been trojanized. When such images end up in production, they provide easy access to attackers to containerized applications via a backdoor.

Every month there is some bad guy upping their game and utilizing more containers as part of their attack. We expect it to be more prevalent because it is very easy to use a Docker container to trick a target into building the attack tools inside their own network
Rony Moshkovich
CEO and Co-founder, Prevasio