Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications. The docker daemon, dockerd, provides an API service used for remote control of the docker service. The default daemon listens on unix:///var/run/docker.sock, and when bound to a public interface, can be used by attackers to compromise the container system due to the lack of default authentication. This service misconfiguration has been observed in use during cryptomining campaigns. Authentication is not required to exploit this vulnerability.
- The vulnerable host is running Docker daemon bound to the external interface with no access controls or authentication.
- The attacker uses Docker API functions to enumerate, manage, and control the container service. The attacker is able to control existing deployed containers or create new ones.
- Docker API provides JSON responses containing output of commands issued.
The host is running dockerd bound to a public interface with no access control/authentication service (default).
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Ensure that the docker API is not being made available to the public internet.