"Researchers Find 250 Million Artifacts Exposed in Misconfigured Registries"
Security researchers at Aqua Nautilus have recently discovered thousands of misconfigured artifact repositories and container image registries, exposing organizations to potentially serious software supply chain attacks. The researchers found that over 250 million software artifacts and more than 65,000 container images had been exposed in this way, putting at risk some of the world’s largest companies, including several Fortune 500 firms. The researchers noted that often artifact management systems and container registries are deliberately connected to the internet and allow anonymous users to connect so that global stakeholders can access open source software. Yet that’s not always the case. The researchers saw instances where “restricted environments are accidentally shared with anonymous users” and other examples where teams “accidentally publish sensitive information to public areas.” The misconfigurations found by the researchers included mistakenly connecting registries to the internet, exposing secrets to public registries, using default passwords, and granting excessive privileges to users. The researchers also found instances of private container image registries that had been misconfigured to allow anonymous access or even ones that had it built in as a feature. The researchers found 57 registries with critical vulnerabilities, such as default admin passwords, out of which 15 registries allowed admin access with the default password. The researchers detected more than 2100 artifact registries with upload permissions, which may allow an attacker to poison the registry with malicious code. The researchers noted that small, medium, and large organizations worldwide were exposed in this way, including 10 Fortune 500 firms. Five of which had registries containing highly sensitive information that was exposed or allowed anonymous access. The researchers also found two cybersecurity companies with exposed secrets in their registries.
Infosecurity reports: "Researchers Find 250 Million Artifacts Exposed in Misconfigured Registries"