Crypto miners exploit vulnerable Docker hosts

vulnerable Docker hosts

Security researchers from Imperva have found thousands of Docker hosts exposed to a new vulnerability and exposed remote Docker API. The new research describes the threat along with sample scripts and what can be done about it.

Docker is a lightweight, standalone, executable software package that performs operating system (OS) level virtualization, also known as “containerization.”

In February, a new vulnerability (CVE-2019-5736) was discovered in February and could allow an attacker to gain host root access from a Docker container. To compound matters, this bug when combined with exposed Docker API can lead to a compromised host, Imperva said in a recent blog post.

Attackers have been known to use the Docker remote API exploits for purposes of cryptocurrency mining and financial gain.

The container runc vulnerability CVE-2019-5736 was described in a NIST security advisory:

“runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.”

The Imperva researchers scanned the internet to find open ports running Docker that were exposed to remote attacks.

“In total, the team found 3,822 Docker hosts with the remote API open and public, and after attempting to connect to IPs via port 2735 to list Docker images, a total of 400 IPs out of 3,822 were accessible,” Imperva noted and provided an image below.

Imperva also provided several examples of how hackers can use scripts to attack Docker hosts.

In the first example, hackers can gain access to files on the Docker host and mounted volumes by running certain commands. Depending on permissions of the mounts, attackers could even access external storage and change data.

In another example, Imperva noted that you can use ready made Docker images and built-in tools (such as nmap) to scan for other vulnerable Docker hosts with exposed ports on the internal network.

A third example described how credentials could be exposed.

“You can find examples of passwords sent as environment variables in the documentation of many Docker repositories,” Imperva warned.

Three simple examples were provided to detect exposed credentials using the Docker remote API:

  • Docker inspect command
  • “env” command on a container
  • credentials files on the host.

Readers should ensure only trusted sources can access Docker APIs and are encouraged to review the Docker guidance, Protect the Docker daemon socket.

Also, see related Docker threat from last October in an article titledMisconfigured Docker containers abused to deliver cryptocurrency mining malware.