vulnerability exploitation in docker container environments
TRANSCRIPT
![Page 1: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/1.jpg)
VULNERABILITY EXPLOITATION IN DOCKER CONTAINER ENVIRONMENTS
ANTHONY BETTINI
FLAWCHECK
![Page 2: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/2.jpg)
ABOUT ANTHONY BETTINI
Working in cybersecurity since 1996 (Netect, Bindview Team RAZOR, Guardent, Foundstone Labs, McAfee Avert Labs, Intel, Appthority, FlawCheck)
Original vulnerabilities discovered in products by PGP, ISS, Symantec, McAfee, Microsoft, Apple, etc.
Founded Appthority, which did static & dynamic analysis of mobile apps and was named the Most Innovative Company of the Year at RSA Conference 2012
Most recently, founded FlawCheck, the only scalable vulnerability & malware inspection platform for container images
![Page 3: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/3.jpg)
CONTAINERS CONTAIN … UNTIL THEY DON’T
MODERN HISTORY OF LINUX CONTAINERS
![Page 4: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/4.jpg)
CHROOT 1979
![Page 5: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/5.jpg)
For ftpd, not security
![Page 6: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/6.jpg)
UNCHROOT CHROOT ESCAPE
![Page 7: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/7.jpg)
CONTROL GROUPS 2007
![Page 8: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/8.jpg)
CONTROL GROUPS (CGROUPS)
“Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized [behavior].”
Started in 2006 as “process containers”
Released in 2007 in Linux kernel 2.6.24 as control groups (due to containers being an overloaded term)
Primarily authored by Google engineers for scaling out isolated workloads
Basis for at least: systemd, CoreOS, Docker, lmctfy, LXC, etc.
cgroups resource: https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
![Page 9: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/9.jpg)
LXC
Runs in userspace
Provides interface to all of the kernel containment features Kernel namespaces Control Groups Apparmour & SELinux Policies
Learn more at: https://linuxcontainers.org/lxc/introduction/
2008
![Page 10: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/10.jpg)
2013
Solomon Hykes on "The future of Linux Containers" PyCon US 2013: https://www.youtube.com/watch?v=wW9CAH9nSLs
![Page 11: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/11.jpg)
DOCKER VS. LXC
![Page 12: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/12.jpg)
DOCKER BASICS
![Page 13: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/13.jpg)
DOCKER REMOTE API EVENTS (ARCHITECTURE)
![Page 14: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/14.jpg)
LINUX NAMESPACES
“A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers.”
Six namespaces:1. mnt (filesystems & mount points)2. PID (processes)3. net (network stack)4. UTS (hostname)5. IPC (Linux implementation of System V IPC)6. user (more on this later…)
namespaces(7)
![Page 15: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/15.jpg)
USER NAMESPACES
Introduced in Linux kernel 3.8
user_namespaces(7)
Docker uses kernel namespaces and does not yet fully implement user namespaces
More on namespaces (from Plan 9): http://www.cs.bell-labs.com/sys/doc/names.html
More on user namespaces: https://lwn.net/Articles/532593/
2013
![Page 16: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/16.jpg)
STATE OF THE UNION: CONTAINERS IN THE ENTERPRISE
![Page 17: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/17.jpg)
ENTERPRISES SLOW TO ADOPT CONTAINERS DUE TO CYBERSECURITY CONCERNS
JANUARY 2015
![Page 18: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/18.jpg)
JULY 2015
![Page 19: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/19.jpg)
VULNERABILITIES & MALWARE
AUGUST 201542%
21%
16%
11% 11%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Top Security Concern
RECENT ENTERPRISE SURVEY BY FLAWCHECKVulnerabilities & Malware Policy Enforcement Isolation Auditability Network Perimeter Security
![Page 20: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/20.jpg)
CONTAINERS ARE EPHEMERAL
![Page 21: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/21.jpg)
VULNERABILITIES
![Page 22: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/22.jpg)
DOCKER INSTALLATION | sh
![Page 23: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/23.jpg)
DAEMON RUNS AS ROOT
![Page 24: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/24.jpg)
DOCKER NETWORKING ENUMERATE CONTAINERS
![Page 25: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/25.jpg)
DOCKER NETWORKING SHUTDOWN CONTAINER HOST
![Page 26: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/26.jpg)
DOCKER ESCAPE (FIXED)
Problem stemmed from blacklisting kernel capabilities (Docker missed CAP_DAC_READ_SEARCH, allowing open_by_handle_at() to succeed)
In Docker 0.12.0, Docker switched to a whitelist model for kernel capabilities
Docker kernel capabilities whitelist: https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_templ
ate.go
AFFECTED < 0.11.1
![Page 27: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/27.jpg)
DECOMPRESSION HIGHEST ROI ATTACK VECTOR
Docker needs to decompress (recursively) container images (and currently does this as root on the container host) – Docker supports at least XZ, GZ, TAR
Cloud Service Providers (CSP) particularly at risk if not validating container images
T. TIIGI WORKS AT DOCKER NOW
![Page 28: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/28.jpg)
BASH IN A DOCKER CONTAINER?
Present in >50% of popular containers on Docker Hub
Commonly present in most or very few of homegrown containers, dependent upon how automated builds are done in the CI/CD process automation
/bin/bash typically not related to the actively running process but could be
CVE-2014-6271
![Page 29: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/29.jpg)
ELASTICSEARCH CVE-2014-3120
CVE-2014-3120 is a RCE bug in ElasticSearch (prior to 1.2.0)
Ben Hall @ Ocelot Uproar was running ElasticSearch in a Docker container and it was breached via CVE-2014-3120 (probably first publicly-admitted breach of a Docker container environment in-the-wild (ITW))
Actively exploited in the wild and MetaSploit plugin available (works against Dockerized ElasticSearch): https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
![Page 30: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/30.jpg)
TEARING APART CONTAINERS What did we find?
![Page 31: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/31.jpg)
MODERN ANALOGY
Launched in 2008 Launched in 2014
Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 31
![Page 32: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/32.jpg)
ANDROID MALWARE
Android Market launched without doing security inspection of uploaded apps
Today, Google performs static & dynamic analysis of Android apps, with the hope of finding malware
Long list of Android malware:
http://forensics.spreitzenbarth.de/android-malware/
Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 32
![Page 33: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/33.jpg)
IS ELF MALWARE REALLY A CONCERN?
Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 33
![Page 34: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/34.jpg)
DOCKER HUB
Docker Hub Overall
>15,000 pre-built containers
>500 million downloads
No security inspection by Docker
>30% of containers have vulnerabilities
Docker Hub Official Images
~100 official images (tag: latest)
Blue-ribbon from Docker
No security inspection by Docker
>90% of official images have vulnerabilities
![Page 35: Vulnerability Exploitation in Docker Container Environments](https://reader034.vdocuments.net/reader034/viewer/2022042722/58aae70e1a28abc73a8b4a07/html5/thumbnails/35.jpg)
BLACK HAT SOUND BYTESConcerns about vulnerabilities & malware in containers, holding back Docker from production deployments in enterprises
Isolation (even strong) doesn't mean data exfiltration won't occur (due to the risk of web tier containers being compromised)
If you download a pre-built container from Docker Hub, there is a high chance it comes with vulnerabilities out-of-the-box (and therefore, shouldn’t be run in production environments)