More than 380,000 of the more than 450,000 servers hosting the open-source container-orchestration engine for managing cloud deployments permit access in some form.
Researchers have discovered that more than 380,000 Kubernetes API servers provide access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target with a large attack surface for threat actors.
According to a blog post published this week, the Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are over 450 thousand.
According to the post, “ShadowServer conducts daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an “HTTP 200 OK status,” indicating that the request was successful.”
381 645 instances of Kubernetes API instances identified by Shadowserver responded with “200 OK,” according to researchers. Shadowserver discovered 454,729 Kubernetes API servers in total. Thus, nearly 84 percent of all instances that Shadowserver scanned are “open” API instances.
According to the post, the majority of accessible Kubernetes servers — 201,348 or nearly 53 percent — were located in the United States.
According to the post, while this response to the scan does not imply that the servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface.”
Researchers noted: “This level of access was likely not intended.” The exposure also permits version and build information to leak, they added.
Cloud Being Attacked
Given that attackers are increasingly targeting Kubernetes cloud clusters and using them to launch other attacks against cloud services, the findings are concerning. Historically, cloud deployments have been plagued by widespread misconfiguration, and Kubernetes is no different.
Erfan Shadabi, a cybersecurity expert at the data-security company comforte AG, stated in an email to Threatpost that he was not surprised that the Shadowserver scan uncovered so many Kubernetes servers that were accessible via the public internet.
“While [Kubernetes] offers enterprises massive benefits for agile application delivery, there are a few characteristics that make it an ideal attack target,” he said. “For instance, Kubernetes has a large attack surface due to its many containers, which could be exploited if not secured beforehand.”
Open-Source Security Is Vulnerable
The findings also raise the age-old question of how to build security into open-source systems that have become ubiquitous as part of the modern internet and cloud-based infrastructure, attacking them and attacking all the connected systems.
In December of last year, the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j was discovered, bringing this issue to the forefront.
Attackers continue to target the vulnerability, which is easily exploitable and can permit unauthenticated remote code execution (RCE) and complete server takeover. In fact, despite the availability of a patch for Log4Shell, millions of Java applications are still vulnerable, according to a recent report.
Shadabi stated that one of Kubernetes’ Achilles’ heels is that the data-security capabilities built into the platform are “minimal” – protecting data at rest and in motion. In a cloud environment, this is a risky proposition.
“There is no persistent protection of data itself, such as with industry-standard techniques such as field-level tokenization,” he noted. If an ecosystem is compromised, it is only a matter of time before the sensitive data it processes falls prey to a more subtle attack.
He advised organizations that use containers and Kubernetes in production environments to take Kubernetes security as seriously as they do other aspects of their IT infrastructure.
Shadowserver recommended that administrators implement authorization for access or block at the firewall level if they discover that a Kubernetes instance in their environment is accessible from the internet. This would reduce the attack surface.
