Vulnerabilities

Malicious Docker images: How to detect vulnerabilities and mitigate risk

November 10, 2020 by Greg Belding

Introduction

Shortcuts are popular because they are more convenient and take less time. Developers have started using Docker because it allows you to place all elements required to run an application into a single container and it can be redeployed to any host. However, Docker images are created in a way that allows for vulnerabilities putting entire environments at risk. 

This article will detail Docker images. We’ll explore what Docker images are and how they can be malicious, how to detect Docker image vulnerabilities and how to mitigate risk.

What are Docker images and how can they be malicious?

Docker images files that execute code within Docker containers used on the platform of the same name. Docker images are attractive because they allow you to wrap up all of the elements required for applications into one little package. They consist of multiple layers, beginning with the OS layer and ending with the application layer, and can be used across different systems using the same OS without any change to the Docker image. 

Malicious Docker images contain vulnerabilities in its layers. The problem with Docker images is that open-source Docker images are sometimes used to save time and these can contain vulnerabilities. Infections originating in Docker images can be quite dangerous, as one malicious Docker image can cause a break out across all Docker images hosted on the same (host) OS.

In a recent malicious Docker image case, open-source malicious Docker images were hosted on the Docker Hub repository, a legitimate Docker image resource. These images contained a cryptominer (which uses system resources to mine cryptocurrency from the system user) called XMRig. 

Unit 42 researchers identified six different versions of a Docker image that contained XMRig, which was used to mine Monero cryptocurrency. This was accomplished with the use of a script written in Python, dao.py, which was performing the Monero mining. These malicious Docker images were downloaded 2 million times and just one of the multiple crypto-wallets that XMR fed into held the equivalent of $36 million, or 525 Monero crypto coins. In response, the Docker Hub Repository removed the account that created and posted the images.

How to detect vulnerabilities

Now that you know how Docker images can be malicious, you are probably wondering if vulnerabilities can be detected. These vulnerabilities can be detected with a variety of Docker image scanning tools. Docker image scanning tools work by parsing through the Docker image, including all of its packages and dependencies, to see if there are known vulnerabilities contained within. It should be noted that knowledge of a vulnerability is necessary for detection.

Some tools, such as Quay, Docker Hub and Notary, can scan all of the Docker images contained in your registry against Docker images that are part of a vulnerability repository. For instances where a Docker image is not part of a repository (or you are unsure if it is), other tools such as Clair and Anchore can run one-off scans on these potentially malicious Docker images. This would not be a smart choice for large deployments of Docker images in terms of efficiency.

Docker image scanning tools such as Clair, Docker Hub and others analyze Docker images on a layer by layer basis as opposed to on an image basis. This is what you want to look for in a Docker image scanning tool because the vulnerabilities are found within the individual layers in a Docker image.

While it is possible to detect vulnerabilities in Docker images with scanning tools, it has its limitations. Scanning will not help with:

  • Current security issues in your Docker container environment
  • Security vulnerabilities that are unknown or have not been reported yet
  • Shared resources that are insecure
  • Vulnerabilities that are not evident based upon package name

Vulnerability scanning for Docker images should be merely one component of your organization’s security profile.

Mitigating the risk associated with Docker images

As explored above, Docker images are convenient, but they may expose you to vulnerabilities contained within the Docker image. Below are some different ways in which you can mitigate the risk associated with using Docker images if you have them deployed in your organization.

  • Make sure that you trust the source of the Docker image you are downloading
  • If you do not know the source, use caution when downloading Docker images from unknown user namespaces and unknown registries
  • Keep in mind that while open-source Docker images can be very convenient, many malicious Docker images originated in open-source Docker image repositories
  • Frequently check your systems for unknown Docker images and remove them if you are sure it is not necessary

Conclusion

Docker images are used for containerization of applications, which means that all of the components and elements of an application are wrapped up into one package (including the OS components) and can be quickly and easily deployed widely within an environment. This problem with Docker images is that vulnerabilities can reside within its layers, which can cause infections of systems such as the recent Monero crypto-jacking Docker image case discovered by Unit 42. 

Vulnerabilities within Docker images can be detected with Docker image-scanning tools, but the best course of action to take with Docker images is to take as many steps in the direction of mitigation as possible. This is because it may only be the single decision of downloading an open-source Docker image that causes an infection. With great relevance to malicious Docker images: “an ounce of prevention is worth a pound of cure.”

Sources

Hackers Used Malicious Docker Images to Mine Monero, BankInfoSecurity

How to find and fix Docker Container vulnerabilities in 2020, Free Code Camp

Docker Image Security Scanning: What it Can and Can’t do, White Source Software Blog

Posted: November 10, 2020
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.