The runc vulnerability panic which hit the container world last month might have died down, but many systems are probably still unpatched, the CTO of cloud security outfit Aqua Security has said.
Amir Jerbi, CTO and co-founder at Aqua Security, said that “This vulnerability really impacted everyone, it was quite amazing.” The company was immediately hit with a wave of “inbound calls, asks, requests.”
“What’s interesting about this vulnerability was that in order to run an exploit, there is not really a lot of effort,” said Jerbi. “You only need to download software – a container – and run it on your premise.
“You don’t need extra permissions, extra privileges,” he continued. “You just need to run an innocent image from some public repository and run it inside the organisation. As soon as you do that you are doomed.”
But he said, “There were some cases where using some security best practices…could overcome the vulnerability… such as you don’t just download things from the internet and run them. You take them, you assess them, or you only run trusted code, or trusted applications,
“Things that sound obvious could’ve saved a lot of effort and headaches.”
As more applications run in containers there will be more vulnerabilities, and as containers gain more traction and become mission critical, said Jerbi, “it will attract hackers. There will be more ground for attack, more incentives.”
In the meantime, said Jerbi, there will still be plenty of systems left vulnerable, not least because security teams are not always aware what their organisations have deployed into production. “It’s not different to any vulnerability. Only a percentage of the customers will update because they are aware of the vulnerability. Most of the users are not really aware they are vulnerable.”
Last week rival security outfit Snyk said that that each of the ten most popular default Docker images contained at least 30 vulnerable system library versions while 44 per cent of Docker image scans showed known vulnerabilities for which there are newer and more secure base image upgrades available.
Jerbi was speaking ahead of the release of Aqua 4.0,which introduces tighter controls for Linux hosts running containers which should address vulnerabilities like runc.
The new version also includes targets serverless, with functions discovery and deep scanning of functions packages and dependencies for known vulnerabilities. The updated platform will also offer permissions assessment for serverless functions, spotting over and under-used permissions, and scanning for secrets and hard-coded keys in functions. The update will be generally available later this month.