Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

How Safe Are Your Docker Images?

Published: 2021-04-22
Last Updated: 2021-04-22 07:21:43 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Today, I don't know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier's tools[1]. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov[2]). Let's mix the attraction for container technologies and this threat, we realize that  Docker images are a great way to compromise an organization! 

When we deploy Docker images, we have to take care of two things:

  • Vulnerabilities present in the software installed in the image.
  • Potential malicious changes (implementation of a backdoor, extra SSH keys, exfiltration of data, etc...)

Many Docker images have already been detected as malicious[3] and are more difficult to detect but how to address "common" vulnerabilities? When you are implementing a vulnerability scanning process in your organization (note that I say "process" and not "tool"!), there are components that are difficult to scan like virtual machines in suspended mode and... Docker images!

Here is an interesting tool that you can add to your arsenal to quickly scan Docker images for vulnerabilities: grype[4]. Written in Go, the tool is very easy to deploy and use:

root@lab0:/# docker images|grep ssl
drwetter/testssl.sh       latest     699c2c42986f   7 weeks ago     48.5MB
jumanjiman/ssllabs-scan   latest     2a46bf22e388   10 months ago   5.66MB
root@lab0:/# grype docker:drwetter/testssl.sh:latest
 - Vulnerability DB        [no update available]
 - Loaded image
 - Parsed image
 - Cataloged packages      [36 packages]
 - Scanned image           [2 vulnerabilities]
NAME     INSTALLED  FIXED-IN  VULNERABILITY  SEVERITY
openssl  1.1.1j-r0            CVE-2021-3450  High
openssl  1.1.1j-r0            CVE-2021-3449  Medium

grype scans the contents of the Docker image to find know vulnerabilities at the operating system level (Alpine, Busybox, Ubuntu, ...) but also language-specific issues (Ruby, Java, Python, ...). Personally, I like the JSON output (--output=json) to process the results with other tools or index them.

My advice is to scan all your new Docker images, especially the ones that you downloaded from 3rd party websites. 

And you? How do you scan/audit your Docker images? Please share your tools/processes in the comments.

[1] https://isc.sans.edu/forums/diary/DSSuite+A+Docker+Container+with+Didiers+Tools/24926/
[2] https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
[3] https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
[4] https://github.com/anchore/grype

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Case for Lockdown and Isolation (and not the Covid kind)
Apr 21st 2021
23 hours ago by Richard (0 comments)

Hunting phishing websites with favicon hashes
Apr 19th 2021
3 days ago by Jan (0 comments)

Decoding Cobalt Strike Traffic
Apr 18th 2021
4 days ago by DidierStevens (0 comments)

Querying Spamhaus for IP reputation
Apr 17th 2021
5 days ago by Rick (0 comments)

HTTPS Support for All Internal Services
Apr 16th 2021
6 days ago by Xme (0 comments)

Why and How You Should be Using an Internal Certificate Authority
Apr 15th 2021
1 week ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 week ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 month ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 month ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
3 months ago by bas.auer@auerplace.nl (6 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
5 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
1 month ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
1 month ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
1 month ago by Russ McRee (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
1 month ago by DidierStevens (0 comments)