An analysis conducted using Kaspersky Container Security has revealed that only 1 out of every 10 Docker Hub images analysed, including those with 10,000 to 1 million downloads, was fully up to date. Experts warn that aside from software vulnerabilities and the compromise of update sources, common Docker security risks include configuration vulnerabilities, such as the insecure handling of credentials, privilege escalation, and a lack of integrity checks.
Docker Hub, the world's largest container registry, is extremely popular among developers and records more than 11 billion image pulls monthly. However, the usage of ready-made Docker images with minimal modifications can pose serious security risks. Infrastructure hosted in containers is an attractive target for attackers: a hijacked container can be used for DDoS attacks, cryptocurrency mining, or traffic proxying. Moreover, by gaining control of a container, an attacker can steal or destroy data directly from it, access neighbouring containers, or even attempt to escape the container entirely, potentially compromising the broader enterprise network.
Kaspersky Container Security (KCS) incorporates the KIRA AI assistant to help users identify insecure configurations and potential vulnerabilities, suggesting how to fix them. As part of this research, a range of popular Docker Hub images were analysed using KCS to uncover the potential security issues developers can face.
Software vulnerabilities and compromise of update sources
Unlike traditional servers, pre-built Docker images lack automated security patching, requiring developers to manually rebuild and redeploy them. This situation leaves popular images outdated, leaving known vulnerabilities unaddressed. A random scan of 100 Docker Hub images with up to one million downloads found that almost two thirds (64) of them contained critical vulnerabilities that could allow attackers to execute remote code, crash server processes, or gain root privileges via local access.
Top 10 Critical Vulnerabilities with PoC/Exploits available as shown in the Kaspersky Container Security Dashboard.
While insufficient patching leaves known vulnerabilities wide open, frequent updates drastically increase exposure to software supply chain attacks. To escape this paradox, security teams must adopt a comprehensive, multi-layered strategy that includes pinning dependencies to known-good versions and conducting mandatory scans of all final container images for malware.
Configuration vulnerabilities
Even a fully patched container image remains highly vulnerable if configured incorrectly, as attackers can easily exploit embedded keys and secrets, disabled authentication, default passwords, and insecure file permissions. This risk is further compounded when configuration errors are baked into the original base layers by the initial authors, making deep analysis of every layer and build command necessary for detection.
The discovered configuration vulnerabilities include:
- Insecure handling of credentials: In some cases, containers may use default passwords set via environment variables or directly in Dockerfile. If not overridden, these passwords can be exploited by attackers to access the application. Also, passwords may be exposed when passed via command-line arguments, as these arguments are visible to all users on the system.
- Privilege escalation in the container: Remote Code Execution (RCE) in web applications and network services is one of the most common vectors for initial compromise of Linux systems. While attacks are often hindered by minimal privileges granted to these services, gaining root access inside a container critically escalates the threat. It enables attackers to fully control all internal processes, conceal their activity, and escape the container. Common methods of privilege escalation include the execution of arbitrary commands as root without a password via sudo, as well as insecurely configured file and directory permissions.
- Lack of integrity checks: Downloading software without verifying its integrity can make the infrastructure vulnerable to software tampering. For example, using the HTTP protocol without verifying the archive’s integrity creates conditions for a man-in-the-middle attack during the image build phase. An attacker controlling the communication channel or DNS can replace the archive with malicious content, which will compromise the container and the entire environment in which it is run.
The full research and expert recommendations on container security are available on Securelist.
To learn more about Kaspersky Container Security, please follow the link.
