New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Vulnerable Docker issue
https://thehackernews.com/2024/01/new-docker-malware-steals-cpu-for.html
Interesting information, but is it legit?
Comments
Much wow. Much details.
Why do I have a feeling it will end like last years NPM Typosquatting Malware and in theory it's gonna be user fault?
The containers are deployed on the vulnerable Docker host over the Internet by an attacker-controlled server. Cado Security have been unable to obtain a copy of the spreader, however can speculate that the attacker discovered the honeypot via a service like Shodan.
I mean you’re either going to have to get into the box first, or you’re going to need to have a port exposed to a service that allows some control of docker on the system. I don’t see someone with only 22/80/443 open being exposed to this kind of theoretical attack unless they get in 22, or what’s running the app on 80/443 has a high enough permission level and allows a code execution attack (or allows a code execution attack + is vulnerable to privilege escalation).
amount of valuable info: 0
sum: shitpost
This type of exploit is just docker API without authentication on public IP.
A very known problem. Even described in the docker documentation.
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
Somehow I'm
too afraid
exposing docker container running with --cap-add options (especially NET_ADMIN NET_BIND_SERVICE NET_RAW ) to publicI like Docker
Therefore I use Docker
exposing docker daemon via tcp 2375 can get ur server fked
ppl can send api calls to launch a container with anything.
same thing happened to me few years ago using https://github.com/ehazlett/shipyard
the developer was exposing docker api on public port unsecured for no reason even when not using any remote node. docker was new back then i had no idea of this api part and when i reported to his github repo he said this is normal 😂
docker run --priviledged -p 23 secobau/telnetd
YOLO
You dont want to know how many hosts have the docker controll port open to the public, so you just spin up a container on their server and you're done.