Docker is a virtualization platform based on container technology. Virtualization is a technology that creates virtual machines to efficiently utilize hardware, which is a physical resource. Depending on the virtualization method, it is divided into virtual machines and containers. Container technology refers to a technology that creates an independent environment by isolating processes while using the functions of the host OS as it is.

Docker, which is used as a de facto industry standard as a container-based virtualization platform, can cause significant damage in the event of security vulnerabilities as it is widely used. This article deals with the severe security issues of Docker containers that can occur due to exposure of the attack surface and how to detect the attack surface of Docker containers using the OSINT search engine.

The Heart of the Security Issue: Private Docker Registry

A Docker container consists of the Docker Client, Docker Host, and Docker Registry. One that can be a security issue, in particular, is the Docker Registry. Docker Registry contains various important information managed by Docker and is divided into Public Registry and Private Registry depending on whether it is disclosed to the outside. Public Registry is a repository that is open to the outside, such as Docker’s official registry, Docker Hub, or registries of other vendors. On the contrary, Private Registry is built privately by the user and used in the internal network, and it is common that only limited users, such as a company or team members, can access it. Since external access is not possible, it often contains sensitive information, so a security issue such as an insufficient configuration in the Private Registry can be directly linked to a security problem. In addition,  sometimes Docker repositories are connected to the external Internet for convenient use or installed in the cloud and forgotten. Due to these security issues, external unauthorized access is possible, and security incidents such as development source leakage may occur.

By entering the following query in the Title filter in Criminal IP Asset Search, you can detect the Private Registry that is exposed to the attack surface.

Search Query : Title: Docker Registry

Search Query : Title: Docker Registry UI

Search Query : Title: Docker Registry Browser

Criminal IP에서 Title: Docker Registry 을 검색한 결과, 총 1.580개의 노출된 Pravate Registry가 검색된다
Searching Title: Docker Registry on Criminal IP yields a total of 1,580 exposed Private Registries

Even if the Docker Registry is exposed to the attack surface, if the login verification code, 401 code, is output as shown in the image below when accessed, it is a repository with at least a login authentication step.   These repositories are unlikely to be entirely at risk unless passwords are exposed. Ultimately, external network access must be blocked so that even such a login page is not displayed.

외부에 노출된 Docker Registry
Exposed Docker Registry

Users can find registries without the login authentication among the registries detected by Criminal IP. If you connect, you will see the Repositories screen, as shown below, and the important files inside the repository are completely exposed. Accessing one of them will expose all the confidential files in this repository. This means that hackers and ordinary people alike can easily download image files containing critical source code without being authenticated.

Exposed Docker Registry where all important files are accessed without a login authentication
Exposed Docker Registry where all important files are accessed without a login authentication

[Criminal IP Search 101 – Is Your Docker Registry Safe?]

Attack Surface Exposed by Docker API Servers

The registries discussed above were detected by searching for the title name of the page with the OSINT search engine because the web page exists, but even if the web page does not exist, the information in the Docker container may be exposed through the API server. Docker Registry HTTP API is a REST API for conveniently managing Docker image distribution, and it plays the same role as Docker Registry. Therefore, if the Docker Registry HTTP API server without a login authentication system is exposed, it is the same as accessing the Docker Registry without authentication. 

To detect exposed Docker API servers by Criminal IP Asset Search, search for “Docker-Distribution-Api-Version”, the header phrase of the API server in the Docker Registry.

Search Query : Docker_Distribution_Api_Version

Criminal IP에 “Docker_Distribution_Api_Version” 키워드를 검색한 결과, 1,260개의 노출된 도커 API 서버를 확인할 수 있다
As a result of searching for the keyword “Docker_Distribution_Api_Version” in Criminal IP, 1,260 exposed Docker API servers can be identified

When accessing the Docker Registry API server, no Body information is displayed except for the header information, as shown in the screen below. There seems to be no particular security problem.

However, as an additional action, you can obtain specific information about the Docker Registry from the API server. 

노출된 도커 레지스트리 API 서버, 헤더정보만 확인된다
Exposed Docker Registry API server, only header information is checked

As shown in the image below, if you connect to the API server and add the “/v2/_catalog” command, you will see a shocking result that lists all Repositories.

노출된 도커 레지스트리 API 서버에 접속 후 ‘/v2/_catalog’ 명령어를 추가하면 나타나는 전체 Repositories 리스트
노출된 도커 레지스트리 API 서버에 접속 후 ‘/v2/_catalog’ 명령어를 추가하면 나타나는 전체 Repositories 리스트
List of all Repositories displayed when connecting to the exposed Docker Registry API server and adding the “/v2/_catalog” command

Configuration File Security Issues in Docker Compose

Docker Compose is a function that allows multiple containers to be organically grouped and used. This feature enables developers to easily and usefully work without complicated tasks because it allows them to link multiple systems as if they were a single application.

For example, when servicing a web application, a web server (Apache, IIS, Nginx) and a database (Oracle, MySQL, PostgreSQL) must be configured at the same time. Even if you use Docker at this stage, you will need to create containers individually. However, Docker Compose makes things very easy because developers can bundle multiple containers into a single service. 

However, security issues can arise with the YAML configuration files used by Docker Compose. If you can access the YAML file, you can steal the account of the web server or DB server made with Docker, and if the server used by Docker Compose leaves the directory listing vulnerability intact, you can easily access the YAML file and steal the account.

You can detect websites with Docker Compose YAML files with Criminal IP Asset Search using the following filter and keyword combinations. 

Search Query : Docker-compose.yml title: Index of /

Criminal IP에 “Docker-compose.yml title: Index of /” 키워드로 검색한 결과, 430개의 도커 컴포즈 YAML 파일이 있는 웹사이트를 찾을 수 있다
In Criminal IP “Docker – compose.yml title: Index of /” as a result of a search keyword, 430 websites with Docker Compose YAML files are found

A total of 430 search results were found, and when connecting to an accessible server, the Docker-Compose.yml configuration file was exposed on the website where the directory was indexed.

디렉터리가 인덱싱된 웹 사이트에 노출되어 있는 Docker-Compose.yml 설정 파일
디렉터리가 인덱싱된 웹 사이트에 노출되어 있는 Docker-Compose.yml 설정 파일
In Criminal IP “Docker – compose.yml title: Index of /” as a result of a search keyword, 430 websites with Docker Compose YAML files are found

If you look closely at the exposed Docker-Compose.yml configuration file, the Username and Password are listed in the environment variables related to authentication. 

노출된 Docker-Compose.yml 설정 파일에 기재된 Username과 Password
Username and Password described in the exposed Docker-Compose.yml configuration file

Security Issues in Docker Swarm

Docker Swarm is a container orchestration management tool that combines multiple Docker hosts into a single cluster and is used for convenience, like Docker Compose.

Exposed Docker Swarms can be found by searching with Title: Docker Swarm on Criminal IP Asset Search.

Search Query : Title: Docker Swarm

Criminal IP에 Title 필터를 이용하여 Docker Swarm을 검색한 결과, 24개의 노출된 Docker Swarm이 검색된다
As a result of searching for Docker Swarm using the Title filter on Criminal IP, 24 exposed Docker Swarms are found

A total of 24 Docker Swarms were found, and the screen connecting to the actual manager node is as follows.

If this manager node is allowed to be accessed from the outside, a number of unimaginable security problems can arise. 

노출된 Docker Swarm의 매니저 노드
Exposed manager node of Docker Swarm

Conclusion

Docker, used for building and deploying an efficient development environment, has become an indispensable platform. Unfortunately, hackers always target widely used and inevitably used services, so even a minor security flaw in Docker can cause serious damage. However, using Docker containers does not cause these security flaws; rather, officially announced vulnerabilities can be addressed with quick security patches and inspection guides.

However, the Docker container security issues discussed above are unfortunately not caused by the security issues of the platform itself but by the user’s unsecured settings and poor attack surface management. And not only Docker but all applications used by individuals or companies have security problems due to the exposure of the attack surface. Many security analysts say that more products and services will be used in the future in the cloud era and that the attack surface targeted by hackers will also increase. The only way to solve this problem is to quickly detect, recognize and act on exposed assets. To reduce the attack surface, it is recommended to perform periodic asset management through an OSINT search engine such as Criminal IP or an automated attack surface management system such as Criminal IP ASM.

Please refer to the article about the Django web application, which can leak and manipulate information due to exposure of the attack surface of the API key.

Source : Criminal IP (https://www.criminalip.io)

Related Article(s) :

API Key, a Key to Credential Leakage & Manipulation