In excess of 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target & broad attack surface for threat players, researchers have now found.
The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are over 450,000, revealed a blog post just published.
Daily Scans
“Shadow Server is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an ‘HTTP 200 OK status,’ which indicates that the request has succeeded,” according to this post.
Of over 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers commented. Altogether, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84% of all cases that that Shadowserver scanned.
Additionally, most of the accessible Kubernetes servers, 201,348 – nearly 53% were found in the US, explained the post.
Unnecessarily Exposed
While this result from the scan does not mean these servers are fully open or vulnerable to attacks, it suggests a situation where the servers have an “unnecessarily exposed attack surface,” outlined the post.
“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version & builds, they added.
Cloud Under Attack
The findings are worrying because the attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Also, the cloud historically has suffered from rampant misconfiguration that continues to damage deployments, Kubernetes included.
Erfan Shadabi, cyber-security expert with data-security firm Comforte AG, stated that he was unsurprised that the Shadowserver scan discovered so many Kubernetes servers exposed to the public internet.
“White Kubernetes]provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he stated.
“For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”
Open-Source Security
The findings also raise the issue of how to build security into open-source systems that become ubiquitous as part of modern internet & cloud-based infrastructure, meaning an attack on them an attack on the variety systems to which they are connected.
This issue was seen in the case of the Log4Shell vulnerability in the common Java logging library Apache Log4j that was discovered last Dec.
The defect, is easily exploitable & can allow unauthenticated remote code execution (RCE) & complete server takeover, continues to be targeted by attackers. Also, a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.
Bare Minimum
One issue of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest & data in motion, Shadabi commented. In a cloud environment, this is dangerous.
“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenisation,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”
Securing Kubernetes
Shadabi’s advice to organisations that use containers & Kubernetes in their environments is to take securing Kubernetes just as seriously as they do other aspects of their IT infrastructure, he explained.
Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing ‘authorisation for access,’ or block at the firewall level to reduce the attack surface exposed .