Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan.

In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would tailor it to fit within the confines of the targeted system, like the store in the mall.

Historically, however, problems have arisen with this approach. What if I want to deploy a store within a mall but the store doesn’t fit within the confines of the mall floorplans? The same principle applies to applications. What happens if I want to deploy an application to a system it wasn’t designed to target? Usually, it won’t work.

The retail industry came up with a creative solution to the misfit brick-and-mortar store problem — e-commerce. With websites, items could be sold that didn’t fit in physical storefronts. Similarly, the technology sector has a solution for the application misfit problem — containerization.

What is Containerization?

Containerization provides a method for developers to distribute applications as a portable package.

With containerization, developers and engineers can distribute an application as a package that contains the required operating system components for the application. This allows engineers and developers to create applications without the concern about whether an application will successfully deploy to a custom operating system or platform. Because containers usually only include the required components and files of their contained application, they can have a significantly reduced attack surface compared to other solutions such as virtual machines.

Virtual machines were originally created as a solution to allow a single computer or server to execute software in isolation while preserving the integrity of the supporting host. This was an evolution upon deploying software applications to dedicated hosts and hardware intended to provide better portability and security. Virtual machines achieve this goal but also include software and tools that are not used by a deployed application but are used by attackers. Extra functionality and utilities within the environment that executes an application provide attackers with functionality they can leverage to further attack organizations.

While containers are intended to not include extraneous tools and functionality like virtual machines do, containers are not without risk or security concern. Containers do not provide perfect isolation from the host that they execute upon like virtual machines are intended to do. There is shared software and functionality between containers and their executing hosts that increases the risk to the host, such as sharing the same kernel, which normally is not a concern with virtual machines. Sometimes this shared functionality can be used to escape a container and allow an attacker to access other containers and sensitive information within the containers’ host.

Within the container, like virtual machines, secrets and sensitive information is used by applications and can pose a risk to other systems if discovered by attackers. Applications that rely on database credentials, for example, might have those credentials stored in files included within the container image. If the container image were published, it would pose a serious risk to the database and the data it holds. Even though containers do not contain full operating systems, the portions of an operating system they do contain can still become outdated and vulnerable to attacks. The libraries that applications use in their software supply chains can also be vulnerable, especially if they are outdated.

Container Vulnerabilities Abound

The inside of a container isn’t the only location that can contain vulnerabilities. The ways a specific container interacts with its environment can create vulnerabilities too. Applications that are architected to run within cloud environments as containers may have additional functionality implemented for integration with those environments. The integration can elevate the risk of an attack.

The cloud provider, container, and platform the container operates within represent the context of a container. The context a container executes within can include things such as service accounts that the application within the container can leverage to access the cloud environment. Service accounts can have permissions and privileges assigned to them that may be too broad in nature and could allow an attacker to perform operations on the cloud provider’s platform. These operations might include accessing databases with sensitive data, such as credit card numbers or creating crypto-currency miners that run high costs on accounts.

How to Secure Your Containerized Environments

To prevent those kinds of issues, many tools have been created to allow engineers to analyze the security of the contexts within which the containerized applications execute. The tools that have been created, such as Snyk and KubeAudit most notably, scan configurations and permissions to identify permissions that may be too broad or configurations that could allow for container escapes or application vulnerabilities. These tools are fantastic for identifying very basic issues within their targeted domains.

Unfortunately, most of the time these tools are built from preconceived ideas about how applications are built and integrated into their cloud contexts. Often these preconceived notions, however, do not match reality and therefore tell engineers of security “issues” that are not relevant to the containers and applications within the environment. Containerized applications many times have a need to interact and integrate with their platform in a way dictated by business requirements that various automated tools can’t account for. These false positives can waste a lot of time. Because the platforms and utilities that run containers are designed for integration, the resulting system of container, context, and cloud provider needs to be reviewed and attacked using an attacker’s mindset to determine the real quantifiable security of the integrated system. This process can only be done by a human, and it is how real-world attackers break in.

A good practical approach to minimizing risk in containerized environments leverages all the available resources. Thankfully, many of the available tools and resources are free and easy to use. Many cloud providers provide container image scanning services, which are integrated into their platforms. Using these services can add significant value. Leveraging configuration scanners for both cloud accounts and container platform environments can provide a fantastic starting point for determining the initial risk of these environments and help teams remediate any low-hanging fruit.

Utilizing Kubernetes and container-aware endpoint detection and response systems can provide intelligence about a compromise before an attacker can affect your systems. After taking those steps, penetration testing can be used to cut through the various false positives and negatives of tooling and monitoring systems, validate a security posture, and give actionable intelligence about your environment with context-specific recommendations.

X-Force Red, IBM Security’s team of hackers, can provide container testing services to organizations worldwide. Their goal is to uncover and help remediate flaws inside and around containers in the cloud. The testing includes the containers themselves, and their supporting infrastructure, such as orchestrators. For more information, download the X-Force Red Container Testing Services infosheet here.

If you’d like to schedule a consult with IBM Security X-Force, fill out the scheduler form here.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…