Docker is a virtualization platform based on container technology. Virtualization is a technology that creates virtual machines to efficiently utilize hardware, which is a physical resource. Depending on the virtualization method, it is divided into virtual machines and containers. Container technology refers to a technology that creates an independent environment by isolating processes while using the functions of the host OS as it is.
Docker, which is used as a de facto industry standard as a container-based virtualization platform, can cause significant damage in the event of security vulnerabilities as it is widely used. This article deals with the severe security issues of Docker containers that can occur due to exposure of the attack surface and how to detect the attack surface of Docker containers using the OSINT search engine.
The Heart of the Security Issue: Private Docker Registry
A Docker container consists of the Docker Client, Docker Host, and Docker Registry. One that can be a security issue, in particular, is the Docker Registry. Docker Registry contains various important information managed by Docker and is divided into Public Registry and Private Registry depending on whether it is disclosed to the outside. Public Registry is a repository that is open to the outside, such as Docker’s official registry, Docker Hub, or registries of other vendors. On the contrary, Private Registry is built privately by the user and used in the internal network, and it is common that only limited users, such as a company or team members, can access it. Since external access is not possible, it often contains sensitive information, so a security issue such as an insufficient configuration in the Private Registry can be directly linked to a security problem. In addition, sometimes Docker repositories are connected to the external Internet for convenient use or installed in the cloud and forgotten. Due to these security issues, external unauthorized access is possible, and security incidents such as development source leakage may occur.
By entering the following query in the Title filter in Criminal IP Asset Search, you can detect the Private Registry that is exposed to the attack surface.
Search Query : Title: Docker Registry
Search Query : Title: Docker Registry UI
Search Query : Title: Docker Registry Browser
Even if the Docker Registry is exposed to the attack surface, if the login verification code, 401 code, is output as shown in the image below when accessed, it is a repository with at least a login authentication step. These repositories are unlikely to be entirely at risk unless passwords are exposed. Ultimately, external network access must be blocked so that even such a login page is not displayed.
Users can find registries without the login authentication among the registries detected by Criminal IP. If you connect, you will see the Repositories screen, as shown below, and the important files inside the repository are completely exposed. Accessing one of them will expose all the confidential files in this repository. This means that hackers and ordinary people alike can easily download image files containing critical source code without being authenticated.
[Criminal IP Search 101 – Is Your Docker Registry Safe?]
Attack Surface Exposed by Docker API Servers
The registries discussed above were detected by searching for the title name of the page with the OSINT search engine because the web page exists, but even if the web page does not exist, the information in the Docker container may be exposed through the API server. Docker Registry HTTP API is a REST API for conveniently managing Docker image distribution, and it plays the same role as Docker Registry. Therefore, if the Docker Registry HTTP API server without a login authentication system is exposed, it is the same as accessing the Docker Registry without authentication.
To detect exposed Docker API servers by Criminal IP Asset Search, search for “Docker-Distribution-Api-Version”, the header phrase of the API server in the Docker Registry.
Search Query : Docker_Distribution_Api_Version
When accessing the Docker Registry API server, no Body information is displayed except for the header information, as shown in the screen below. There seems to be no particular security problem.
However, as an additional action, you can obtain specific information about the Docker Registry from the API server.
As shown in the image below, if you connect to the API server and add the “/v2/_catalog” command, you will see a shocking result that lists all Repositories.
Configuration File Security Issues in Docker Compose
Docker Compose is a function that allows multiple containers to be organically grouped and used. This feature enables developers to easily and usefully work without complicated tasks because it allows them to link multiple systems as if they were a single application.
For example, when servicing a web application, a web server (Apache, IIS, Nginx) and a database (Oracle, MySQL, PostgreSQL) must be configured at the same time. Even if you use Docker at this stage, you will need to create containers individually. However, Docker Compose makes things very easy because developers can bundle multiple containers into a single service.
However, security issues can arise with the YAML configuration files used by Docker Compose. If you can access the YAML file, you can steal the account of the web server or DB server made with Docker, and if the server used by Docker Compose leaves the directory listing vulnerability intact, you can easily access the YAML file and steal the account.
You can detect websites with Docker Compose YAML files with Criminal IP Asset Search using the following filter and keyword combinations.
Search Query : Docker-compose.yml title: Index of /
A total of 430 search results were found, and when connecting to an accessible server, the Docker-Compose.yml configuration file was exposed on the website where the directory was indexed.
If you look closely at the exposed Docker-Compose.yml configuration file, the Username and Password are listed in the environment variables related to authentication.
Security Issues in Docker Swarm
Docker Swarm is a container orchestration management tool that combines multiple Docker hosts into a single cluster and is used for convenience, like Docker Compose.
Exposed Docker Swarms can be found by searching with Title: Docker Swarm on Criminal IP Asset Search.
Search Query : Title: Docker Swarm
A total of 24 Docker Swarms were found, and the screen connecting to the actual manager node is as follows.
If this manager node is allowed to be accessed from the outside, a number of unimaginable security problems can arise.
Docker, used for building and deploying an efficient development environment, has become an indispensable platform. Unfortunately, hackers always target widely used and inevitably used services, so even a minor security flaw in Docker can cause serious damage. However, using Docker containers does not cause these security flaws; rather, officially announced vulnerabilities can be addressed with quick security patches and inspection guides.
However, the Docker container security issues discussed above are unfortunately not caused by the security issues of the platform itself but by the user’s unsecured settings and poor attack surface management. And not only Docker but all applications used by individuals or companies have security problems due to the exposure of the attack surface. Many security analysts say that more products and services will be used in the future in the cloud era and that the attack surface targeted by hackers will also increase. The only way to solve this problem is to quickly detect, recognize and act on exposed assets. To reduce the attack surface, it is recommended to perform periodic asset management through an OSINT search engine such as Criminal IP or an automated attack surface management system such as Criminal IP ASM.
Please refer to the article about the Django web application, which can leak and manipulate information due to exposure of the attack surface of the API key.
Source : Criminal IP (https://www.criminalip.io)
Related Article(s) :