Malicious Docker images: How to detect vulnerabilities and mitigate risk
Introduction
Shortcuts are popular because they are more convenient and take less time. Developers have started using Docker because it allows you to place all elements required to run an application into a single container and it can be redeployed to any host. However, Docker images are created in a way that allows for vulnerabilities putting entire environments at risk.
This article will detail Docker images. We’ll explore what Docker images are and how they can be malicious, how to detect Docker image vulnerabilities and how to mitigate risk.
Learn Vulnerability Management
What are Docker images and how can they be malicious?
Docker images files that execute code within Docker containers used on the platform of the same name. Docker images are attractive because they allow you to wrap up all of the elements required for applications into one little package. They consist of multiple layers, beginning with the OS layer and ending with the application layer, and can be used across different systems using the same OS without any change to the Docker image.
Malicious Docker images contain vulnerabilities in its layers. The problem with Docker images is that open-source Docker images are sometimes used to save time and these can contain vulnerabilities. Infections originating in Docker images can be quite dangerous, as one malicious Docker image can cause a break out across all Docker images hosted on the same (host) OS.
In a recent malicious Docker image case, open-source malicious Docker images were hosted on the Docker Hub repository, a legitimate Docker image resource. These images contained a cryptominer (which uses system resources to mine cryptocurrency from the system user) called XMRig.
Unit 42 researchers identified six different versions of a Docker image that contained XMRig, which was used to mine Monero cryptocurrency. This was accomplished with the use of a script written in Python, dao.py, which was performing the Monero mining. These malicious Docker images were downloaded 2 million times and just one of the multiple crypto-wallets that XMR fed into held the equivalent of $36 million, or 525 Monero crypto coins. In response, the Docker Hub Repository removed the account that created and posted the images.
How to detect vulnerabilities
Now that you know how Docker images can be malicious, you are probably wondering if vulnerabilities can be detected. These vulnerabilities can be detected with a variety of Docker image scanning tools. Docker image scanning tools work by parsing through the Docker image, including all of its packages and dependencies, to see if there are known vulnerabilities contained within. It should be noted that knowledge of a vulnerability is necessary for detection.
Some tools, such as Quay, Docker Hub and Notary, can scan all of the Docker images contained in your registry against Docker images that are part of a vulnerability repository. For instances where a Docker image is not part of a repository (or you are unsure if it is), other tools such as Clair and Anchore can run one-off scans on these potentially malicious Docker images. This would not be a smart choice for large deployments of Docker images in terms of efficiency.
Docker image scanning tools such as Clair, Docker Hub and others analyze Docker images on a layer by layer basis as opposed to on an image basis. This is what you want to look for in a Docker image scanning tool because the vulnerabilities are found within the individual layers in a Docker image.
While it is possible to detect vulnerabilities in Docker images with scanning tools, it has its limitations. Scanning will not help with:
- Current security issues in your Docker container environment
- Security vulnerabilities that are unknown or have not been reported yet
- Shared resources that are insecure
- Vulnerabilities that are not evident based upon package name
Vulnerability scanning for Docker images should be merely one component of your organization’s security profile.
Mitigating the risk associated with Docker images
As explored above, Docker images are convenient, but they may expose you to vulnerabilities contained within the Docker image. Below are some different ways in which you can mitigate the risk associated with using Docker images if you have them deployed in your organization.
- Make sure that you trust the source of the Docker image you are downloading
- If you do not know the source, use caution when downloading Docker images from unknown user namespaces and unknown registries
- Keep in mind that while open-source Docker images can be very convenient, many malicious Docker images originated in open-source Docker image repositories
- Frequently check your systems for unknown Docker images and remove them if you are sure it is not necessary
Learn Vulnerability Management
Conclusion
Docker images are used for containerization of applications, which means that all of the components and elements of an application are wrapped up into one package (including the OS components) and can be quickly and easily deployed widely within an environment. This problem with Docker images is that vulnerabilities can reside within its layers, which can cause infections of systems such as the recent Monero crypto-jacking Docker image case discovered by Unit 42.
Vulnerabilities within Docker images can be detected with Docker image-scanning tools, but the best course of action to take with Docker images is to take as many steps in the direction of mitigation as possible. This is because it may only be the single decision of downloading an open-source Docker image that causes an infection. With great relevance to malicious Docker images: “an ounce of prevention is worth a pound of cure.”
Sources
Hackers Used Malicious Docker Images to Mine Monero, BankInfoSecurity
How to find and fix Docker Container vulnerabilities in 2020, Free Code Camp
Docker Image Security Scanning: What it Can and Can’t do, White Source Software Blog
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
