Description
Docker is a technology that allows you to perform operating system-level virtualization. An incredible number of companies and production hosts are running Docker to develop, deploy, and run applications inside containers.You can interact with Docker via the terminal and also via remote API. The Docker Remote API is a great way to control your remote Docker host, including automating the deployment, controls, and getting the state of your containers process, and more. With this great power comes a great risk‚ if the control gets into the wrong hands, your entire network can be in danger.In February, a new docker API vulnerability (CVE-2019-5736) was discovered that allows you to gain host root access from a docker container. The combination of this new vulnerability and publicly exposed remote Docker API can lead to a fully compromised host.The Docker Remote API listens on ports 2375 / 2376. By default, the remote API is only accessible from the loopback interface (localhost 127.0.0.1), and should not be available from external sources.
References
- https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware
- https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://nvd.nist.gov/vuln/detail/CVE-2019-5736
Request Access to Use Case Repository
Categories
Discovery
Cloud Service Discovery
Splunk
AWS