The way Docker works for Hackers:
Docker engine needs certain privileges to manage its containers and also means, anyone in the Docker group who effectively has root access to the server. Users might not be aware of the fact that malicious users have ability to steal and borrow the victims SSH credentials. Here, I’m going to discuss about the Docker and how Docker is used by Hackers and in cybersecurity environment.
TABLE OF CONTENT:
- INTRODUCTION TO DOCKER
- ARCHITECTURE OF DOCKER
- HOW HACKERS ARE CONCERNED ABOUT DOCKER
- SAFEGUARD THE DOCKER FROM HACKERS
1. INTRODUCTION TO DOCKER
Docker is a platform were the packages of the application and its dependencies are combined together in the form of Docker container, so that the application works without any flaws at any type of environment. Each application in the Docker runs on its own container and have their own set of dependencies. As each applications are not dependent on other applications, users can build the applications that won’t be relied on the other applications.
WORKFLOW OF DOCKER
While testing the application, the Developer doesn’t want to be provided with all the other developed applications during the Testing environment. They can provide only the particular application, which needs to be tested by replicating the application. As the testing users don’t require to install the dependency software for the application to test the code, this saves the time efficiently and provides proper workflow. The testers can work efficiently and effortlessly after deploying the application into the Docker.
2. ARCHITECTURE OF DOCKER:
The Docker Architecture consists of four categories. They are: Docker Client, Docker Host, Docker Registry and Docker Daemon.
- Docker Client: It’s an interface where user interacts to the Docker applications by providing the Docker commands.
- Docker Host: It runs the Docker Daemon and Docker Registry. It also stores the Docker Containers and Images.
- Docker Daemon: It interacts with the images and containers which contains within the Docker host.
- Docker Registry: A storage and content delivery system used for distributing Docker images.
ARCHITECTURE OF DOCKER
3. HOW HACKERS ARE CONCERNED ABOUT DOCKER:
Hackers take advantage on Docker for attacking the victim data’s. There are vulnerabilities which exist in the Docker images such as Heart Bleed, Glibc Ghost, Shell Shock, SSL Death Alert and so on. When the operator executes Docker commands, it will enable access to all the devices which are connected to the respective host. Whenever user tries to run the Docker commands, the host requests for the root permission. On this occasion, the Hacker can to take advantage to access the victim’s host by using malicious Docker image, sent to the victim.
For example, in the year 2016, one of security researcher found a bug using Docker called as DIRTYCOW (CVE-2016-5195). The DirtyCow vulnerability - a race condition was figured out which handled the copy-on-write (COW) dis-rupture of mappings, which were based on private Read Only Memory (ROM). Through this, it is an evident indication that an unprivileged local user can make use of this bug to procure the ‘write-access’ to otherwise the mappings of read-only-memory, thus ultimately obtaining the highest privileges on the victim’s system.
Since the release of the Docker application, several vulnerabilities have been discovered that could lead to the privilege escalation and Code Execution. Here, I’m going to convey about the top 5 vulnerabilities.
- In-secured Communication and Unrestricted Network Traffic:
- At certain version of the Docker application, all network traffic is allowed between containers on the same host. This will lead to the risk of unintended and information disclosure to other users.
- Unrestricted Access of Process And Files:
- An attacker who gains access to one of the container in Docker, can gain access of the other unauthorized containers or the host. For example, a container may have the ability to gain access system data on the host via remounting, which is sensitive to security enforcement.
- Kernel Level Threats:
- As per the Docker application, it is designed to have all containers that share the same kernel and the host. It provides convenience to the users but also it impacts any type of vulnerabilities present in the kernel.
- Inconsistent Update and Patching of Docker Containers:
- In the older version of Docker containers, they can expose the internal information which creates a higher risks of breach and also the potential loss of sensitive data’s. Containers must be kept Up-to-date to safeguard against any type of vulnerabilities.
- Unverified Docker Images:
- Users need to verify and download the Verified and Trusted application that are curated by the Docker community. Else, run the vulnerability scans against those Docker images before being implemented in the environment.
4. SAFEGUARD THE DOCKER FROM HACKERS:
Docker Container/Images must be protected from confidentiality and integrity of all the network data’s and communication with Docker registries, by encrypting through TLS Security protocols. Organizations need to validate the effectiveness of their current controls and implement Docker controls to restrict the risk that may impact business objectives. Some of the default features need to be disabled. The process need to be tested in sandbox so that, the risk impacts won’t be fetched during the implementation to the production environment.
As I have discussed previously about the kernel level threats, certain commands need to be restricted in the environment based on the privilege level. Only authorized users need to have the access to the root level commands. Proper monitoring needs to be done on updates and patches for the application. The Docker images need to be up-to-date and patched, which is provided by the vendor of the application to avoid risks in Docker. The Docker images downloaded from the outside sources need to be verified in the testing environment or needs to download the application which has ‘trusted digital signature’ provided by the Docker.
Here are some of the tools that can be used to scan Docker Containers and Images:
- Dockerscan - https://github.com/cr0hn/Dockerscan
- Dirtycow - https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-Docker-container-escape/
- Tenable Nessus - https://www.tenable.com/products/tenable-io/container-security
- Dagda - https://github.com/eliasgranderubio/dagda
Docker contains the security to application that are running in a hosted environment. But sometimes, the Docker containers available in open source are not secure without proper security measures. Docker containers need to be treated as a container services. Proper validation needs to be done before implementing in any core environment.
In addition to this, proper security assessment must be done which is obviously mandatory. In doing so, a proper cybersecurity vendor needs to monitor our systems. Check us out to know deeper.