Other issues in this category (69)
Your dear image riddled with holes
The Anti-virus Times has already told its readers about security issues involving the now-popular container platform Docker. With Docker, applications can be run in a virtual environment. All the libraries and resources required by an application are available in the respective container so they don’t need to be present in the system. This may come in handy if a certain application requires a particular version of a certain library that no other applications use. That way you can run a legacy version of an application, for example, to use a certain feature that has been removed in later versions.
On average, containers enjoy greater popularity than virtual machines. Multiple lightweight containers can be run even on less powerful hardware.
But this advantage also has a drawback: legacy applications and libraries can have unpatched vulnerabilities, which intruders can leverage.
The Internet is abundant with container images that do all kinds of useful and cool things, but if you download images that don't go through any sort of verification or validation procedure, you are essentially opting to run arbitrary code in your system.
- Where was this image downloaded from?
- Do you trust its maker? What security policies do they use?
- Can you confirm with 100 percent certainty that the container image has indeed been created by these people?
- Are you confident that the image wasn't tampered with after it was uploaded?
Furthermore, unlike virtual machines, all Docker applications are run under a single operating system even though they have no access to its files. To be more precise, they didn't have access until recently.
The vulnerability CVE-2019-5736 lets infected containers overwrite the runC executable in the system and run it with root privileges. This lets a nefarious container gain control over a host and lets attackers run any commands they want in the system.
So here we are talking about infected containers. In the issue featuring Dr.Web Cloud, we demonstrated that an anti-virus on a server machine where images are being launched easily detects malware lurking within containers. So it turns out that once again the problem is not about vulnerabilities but rather about server administrators who do not use anti-virus software.
- Vulnerabilities have been, are, and always will be, so an anti-virus is an essential system security component.
- Scan all image containers with your anti-virus before using them.
- Install updates—including those that update the Docker components.
Limit access permissions. The containers must not have access to system components.
The term “container breakout” is used to denote that a Docker container has bypassed isolation checks, accessing sensitive information from the host or gaining additional privileges. To prevent this, we want to reduce the default container privileges. For example, the Docker daemon runs as root by default, but you can create a user-level namespace or drop some of the container root capabilities.