Shadowserver scan finds exposed API servers in the hundreds of thousands

With 380,000 Kubernetes API servers ‘open,’ IT pros emphasize privilege control
article cover

Francis Scialabba

· 4 min read

Organizations are increasingly turning to lightweight, easy-to-deploy “containerized” applications. One problem: some containers are open.

A May report from the nonprofit security group demonstrated that a large percentage of systems hosting the Kubernetes container API—over 380,000 instances, in fact—feature API servers that are open and accessible in some form. The Shadowserver report concluded by underlining the importance of fundamental infosec practices like role-based access control and secure app development.

More like ‘200 NOT OK’

A Shadowserver scan of 454,729 Kubernetes IP instances on May 16, 2022, revealed 381,645 unique IPs responding with a 200 OK HTTP response—an indication of a successful connection.

In other words: the APIs were open, listening, and getting the message.

While the scan does not necessarily prove that the 381,645 instances are fully open or vulnerable to an attack, according to the report, “it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface.”

A “200 OK” response doesn’t necessarily mean that the application can run malicious commands in all cases, said Carl Manion, practice director at the Denver-based security integrator Optiv. But if a bad actor knew of an exploit against a known vulnerability within an application that was running in a container, they could attempt to exploit that weakness.

“It opens the door for an attacker to start probing and testing different payloads to see if they work,” Manion told IT Brew.

Kubernetes catching on

Kubernetes is an increasingly popular open-source system for orchestrating and automating the deployment and management of containerized applications.

An October 2021 report from the consulting firm Gartner projected that by 2025, 85% of organizations will run containers in production, a huge increase from 30% in 2020. By 2025, according to the report, the proportion of current enterprise applications that are containerized will rise to 15%, up from 5% in 2020.

Manion has also seen a rise in the use of containers: lightweight packages that combine applications with their libraries, configurations, and other dependencies so that the bundles can be easily deployed to multiple operating systems and migrated from on-premise facilities to the cloud, or from one cloud provider to another.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

“There’s definitely an increase,” said Manion. “Probably three times as many companies are using [containers], as opposed to maybe just even, like, two years ago. There’s been a huge increase in movement to the cloud and leveraging Kubernetes and other similar-type platforms.”

With its orchestration engine, Kubernetes manages the deployment of multiple containers. Managed Kubernetes offerings are delivered by both public-cloud infrastructure providers and traditional infrastructure providers.

Containers’s ease of deployment appeals to organizations, said Sonali Shah, chief product officer at the Austin, Texas-based appsec provider Invicti Security.

“It allows developers to focus on writing innovative code, and less about having to worry about the operating system, or how it’s deployed, or how the communication works between the different pieces. So it’s just all around being able to write better code faster,” said Shah.

The problem: Security has to keep pace with hot, new services.

“Your vulnerability management tools have to always keep up with the latest technologies. And the fact is, they’re always behind,” said Shah. “Unfortunately, cool technology comes first. And the security is always an afterthought.”

Securing the API

There are open-source guides available on how to configure authorization to lock down the API.

Shadowserver recommends implementing authorization for access or blocking access at the firewall level to reduce your exposed attack surface.

Check to make sure that you don’t have known vulnerabilities within your applications or services running in the container, said Manion.

Additionally, Manion advises organizations to enforce role-based access control: “Limit who can communicate with [the API] and restrict [root] privileges,” he said, which could unintentionally provide users with administrative access by default.

An attacker could use that high-privilege access level, once they’ve compromised a container, to move laterally within the overall infrastructure, Manion added.

“You really shouldn’t be setting up the container to have root privilege. You should set up the container to use something less than root,” said Manion. “If you need to have privilege mapped to a root user, then at least limit that user ID within the container.”—BH

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.