Container Security

Backdoor Found in Open Source SSH package

A serious backdoor vulnerability in a popular software package was recently reported. It was found in the ssh-decorator Python package. In this open source library, a log function was sending clear text IP addresses, login names and passwords to an external site: “ssh-decorate.cf/index.php.” This immediately became one of the hottest topics about which thousands of discussions occurred in Reddit, Twitter and other sites. When developers dug deep and investigated, they found that this open source library was developed by an Israeli developer named Uri Goren. And in fact multiple recent versions of the SSH decorate module contained source code to collect users’ SSH credentials and send them to same remote server.

When notified of this discovery, Goren made a note that the issue ‘has been brought to our attention’ in the README file.

After the discussions on social media and developer forums about this incident kept growing, Goren finally decided to remove the package from GitHub and the Python central repo hub PyPI.

This is not the first time that backdoors have been found in open source libraries. Similar cases were found in the JavaScript npm package, Python packages and more. So we may have to say, freedom isn’t free!

Container platforms are often built using a lot of open source components. All programing languages, libraries, and packages can easily fit into containers, which is what is driving the high growth of this exciting ecosystem. However, this brings new challenges for security solutions. A container security solution needs to be able to fit into a deployment process and orchestration tools, then be able to protect containers from the inside out. This is a very different capability from protecting traditional networks, endpoints or servers. For this particular backdoor type of incident, the exploit could naturally bypass regular security practices like static scanning, gateway firewalling, encryption, and access controls. That’s why it’s critical to have run-time, behavior based kill-chain detection which can detect network violations, suspicious container processes, and host compromises. In a containerized environment, a multi-vector container firewall would the right security solution to gain open source freedom. Not only can it detect such an exploit at multiple points in the kill chain, but it can also block (prevent) damaging attacks and data breaches.

About the Author

Fei Huang is the CEO and Co-Founder of NeuVector Inc.
He has over 15 years of experience in enterprise security, virtualization, cloud and infrastructure software. He has held engineering management positions at VMware, CloudVolumes, and Trend Micro and was the co-founder of DLP security company Provilla.

NeuVector is the leader in Kubernetes security and delivers the first and only multi-vector container security platform. NeuVector enables the confident deployment of enterprise-wide container strategies, across multi-cloud and on-premise environments. NeuVector delivers east-west container traffic visibility, host security and container inspection in a highly integrated, automated security solution.