Docker is becoming extremely popular with its containerization technique by removing the virtualization layer and making software deployment a lot easier and faster irrespective of platforms. With its increasing popularity and openness, the vulnerability of the domain is also getting wider. In this article, we will discuss the security flaws and possible vulnerabilities in a containerized environment.
With its widespread acceptance and ease of getting started architecture, developers throughout the world began developing their application over the base images available in DocerHub without understanding the security flaws and potential threat to docker containers. For developing secured applications with docker, it is essential to understand and explore the vulnerabilities to containers.
What not to believe and What to understand?
- It is a common assumption that docker containers are running isolatedly in separate virtual machines and thus, guarantees a hundred percent security.
- Downloading random Docker images from Docker Hub and integrating those with default settings on your host machine can have serious security consequences that have to be understood.
- Running docker containers with root user privileges requires serious attention and cannot be neglected.
Few Reported Vulnerabilities:
It has been reported that even the widely used Microsoft Containers for .NET and ASP.NET core have hundreds of vulnerabilities.
- runC Root-Access Remote Execution: runC is an open container runtime initiative designed to comply with Operating system-level virtualizations. A potential security vulnerability was reported for docker containers running on default settings by using which attacker can gain root-level access on the Linux machine.
- util.c in runV: runV is a hypervisor-based runtime environment for Oracle cloud infrastructure. It was reported that docker allows attackers to obtain root-level access by leveraging the presence of initial numeric value on an /etc/passwd line and then issuing a “docker exec” command with that value in the -u argument.
- Docker Skeleton Runtime for Apache OpenWhisk: Apache OpenWhisk is a distributed Serverless cloud platform that provides Functions-as-a-Service (FaaS) to execute tasks as functions (fx) in response to requested events. A vulnerability was reported that allowed the attackers to replace the user functions with malicious tasks to overload the servers. Despite the vulnerabilities, it depends on the code running inside the container developed by the user.
- Windows Host Compute Service Shim (hcsshim): hcsshim is a GoLang based interface used to launch windows containers and enables host network services(HNS). A vulnerability was reported that allowed the attackers to execute remote commands on the host file system that could lead to corruption of the file system.
How to keep yourself secured?
We can always follow a few good practices to avoid the security risks of using containers as service,
- Understand the privileges you are or have been granting for the containers.
- Root level access should be revoked after as quickly as possible without sparing a moment.
- By default, containers can access the host machine resources over a bridged network, so always run commands with superuser permission inside containers as if you are executing those on the host machine itself.
- Use docker volumes wisely as containers can directly read from or write to the host file system.
- Always use the verified and official images from the docker hub and never run random docker images on your machine.
- Always use the alpine version of the images to include only bare minimum required functionalities.
- Always keep your docker-engine up to date with the latest security patches, which is a common practice and should not be difficult.
Security benchmarks:
- Docker developed a tool “Docker Bench For Secuirty” is a script based validator that checks the container against the best-practices. It is completely automated testing inspired by CIS Docker Benchmark v1.2.0.
- There’s another tool Docker Content Trust(DCT) can be used to avoid Man-In-The-Middle attacks while moving the container around the network.
Conclusion:
While most of the vulnerabilities mentioned in the article above have been fixed, docker containers are still very much likely to meet with new vulnerabilities soon. Docker is a great tool to use, but like any other tool or platform, vulnerabilities will always stand in the way that has to be wiped off. We can do our part in maintaining security with a minimum effort than facing the consequence. All we have to do is always keep our docker containers safe by understanding the granted privileges and by following best practices during the development phase.
Leave a Reply