Docker Privileged Container Escape
Problem Statement: Running Docker containers in privileged mode is a liability, because a compromise in the privileged container may also lead to the host machine getting compromised.
Privileged docker containers are containers that are run with the --privileged flag. Unlike regular containers, these containers have root privilege to the host machine. Privileged containers are often used when the containers need direct hardware access to complete their tasks. However, privileged docker containers can enable attackers to take over the host system.
Enumeration: The first thing you should do is confirm whether the vulnerability exists in your environment. Enumerate the provisioned containers and find out whether any of the containers are running in privileged mode.
In a privileged mode, containers will have the existence of NET_ADMIN capability, which is set in privileged containers. It works because normal containers are not allowed to add network interfaces.
# Install the ip utility if it doesn't exist apt-get update && apt-get install -y iproute2 ip link add dummy0 type dummy >/dev/null if [[ $? -eq 0 ]]; then echo "Container is privileged" # clean the dummy0 link ip link delete dummy0 >/dev/null else echo "Container is not privileged" fi
SSH to the containers and run the script: to find the privileged container
Container is not privileged
Container is privileged
Normally you would add capabilities to the Docker container based on what additional functionality is needed. In this case, you may simply run the container without the privileged flag and without any additional capabilities.
Running a container in Privileged Mode
docker run --name ubuntu-ssh2 -d -p 2200:22 --privileged --restart=always ubuntu-ssh
Running a container is Normal Mode
docker run --name ubuntu-ssh2 -d -p 2200:22 --restart=always ubuntu-ssh
However, this doesn't mean that privileged containers should absolutely not be used. Organizations just need to make sure that safeguards are set in place when running such containers in their environments.
Here are some security recommendations for using privileged containers:
Implement the principle of least privilege. Access to critical components like the daemon service that helps run containers should be restricted. Network connections should also be encrypted.
Containers should be configured so that access is granted only to trusted sources, which includes the internal network. This includes implementing proper authentication procedures for the containers themselves.
Follow recommended best practices. Docker provides a comprehensive list of best practices and has built-in security features professionals can take advantage of, such as configuring Linux hosts to work better with Docker via post-installation.
Carefully assess needs. Does the use case absolutely have to run in Docker? Are there other container engines that do not run with root access and can do the job as effectively? Can it be done differently? Do you accept the risks associated with this need?
Security audits should be performed at regular intervals to check for any suspicious containers and images.