Researchers found numerous critical- and high-severity vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively and not detected by most vulnerability scanners and software composition analysis (SCA) tools.  

Rezilion's new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," identified over 100,000 Dockerfiles in Docker containers that either already contain or are prone to hidden vulnerabilities. Of note, some of them are known to have been exploited in the wild as part of CISA’s Known Exploited vulnerabilities catalog, including CVE-2021-42013, CVE-2021-40438, and CVE-2021-41773.  

Most standard vulnerability scanners and SCA tools heavily rely on package managers to know which packages exist and performing analysis accordingly. However, Docker containers are one of the places where software installation bypasses package managers, making it difficult for many scanners and tools to detect vulnerable packages, said Yotam Perkal, director of vulnerability research at Rezilion.

Perkal did not list all the specific tools that fail at this task, but told SC Media that almost every leading commercial vulnerability scanner and SCA tool — including DockerHub's own vulnerability scans — deals with the same challenge.  

Docker spokesperson David Oro told SC Media that the company is aware of the risk and continues working to address it.  

“Malicious actors taking advantage of public resources for the developer community is a big problem that software developers need to be aware of. It happens in GitHub repositories, npm packages, and even in Chrome extensions. Docker Hub, an industry standard of container images that gets billions of pulls each weekis no exception,” said Oro in an email. “We hate seeing bad actors taking advantage of it and have been working to address it directly.” 

According to Oro, Docker’s mitigation efforts include surfacing software bill of materials and integrating Atomist into the platform to better inform developers about the software components and known vulnerabilities within the images. 

Although the research is focused on Docker containers, Perkal highlighted that the hidden vulnerability phenomenon can apply to any type of compute with the deployment method bypassing the relevant package manager.  

"As long as vulnerability scanners and SCA tools fail to accommodate these situations, any container image that deploys packages or executables in this manner may eventually contain hidden vulnerabilities if any of these components become vulnerable," Perkal said.  

To mitigate the security risk, Perkal said developers should be aware of the issue and try not to circumvent the relevant package manager when installing the required software components.  

He also urged security vendors and open source projects to invest time and resources to close the detection gaps and minimize the risk, saying such gaps “exist across all examined tools.” 

An initiative led by the Open Source Security Foundation called Project Alpha-Omega is also working on building and refining tools for the open source community to help developers detect a wider range of critical vulnerabilities with minimal false positives.