A serious backdoor vulnerability in a popular software package was recently reported. It was found in the ssh-decorator Python package. In this open source library, a log function was sending clear text IP addresses, login names and passwords to an external site: “ssh-decorate.cf/index.php.” This immediately became one of the hottest topics about which thousands of discussions occurred in Reddit, Twitter and other sites. When developers dug deep and investigated, they found that this open source library was developed by an Israeli developer named Uri Goren. And in fact multiple recent versions of the SSH decorate module contained source code to collect users’ SSH credentials and send them to same remote server.
When notified of this discovery, Goren made a note that the issue ‘has been brought to our attention’ in the README file.
After the discussions on social media and developer forums about this incident kept growing, Goren finally decided to remove the package from GitHub and the Python central repo hub PyPI.
Container platforms are often built using a lot of open source components. All programing languages, libraries, and packages can easily fit into containers, which is what is driving the high growth of this exciting ecosystem. However, this brings new challenges for security solutions. A container security solution needs to be able to fit into a deployment process and orchestration tools, then be able to protect containers from the inside out. This is a very different capability from protecting traditional networks, endpoints or servers. For this particular backdoor type of incident, the exploit could naturally bypass regular security practices like static scanning, gateway firewalling, encryption, and access controls. That’s why it’s critical to have run-time, behavior based kill-chain detection which can detect network violations, suspicious container processes, and host compromises. In a containerized environment, a multi-vector container firewall would the right security solution to gain open source freedom. Not only can it detect such an exploit at multiple points in the kill chain, but it can also block (prevent) damaging attacks and data breaches.