Is my Docker container vulnerable to a Docker socket escape?

The purpose of this chain is to test if your Docker container is vulnerable to a Docker socket escape.
This week, we are releasing a Docker container escape TTP:
  • Is my Docker container vulnerable to a Docker socket escape?

Is my Docker container vulnerable to a Docker socket escape?

For this week's TTP Tuesday, we're providing a Docker container escape. This TTP demonstrates how to escape from a Docker container that has the Docker socket mounted within it. While there are practical reasons for mounting the Docker socket within a container, doing so exposes the host to this container escape technique. If a container is vulnerable, an attacker may be able to read and execute files on the host system.

The issue affects many public repositories that utilize Docker containers - a simple search for the Docker socket mount string “-v /var/run/docker.sock” on GitHub shows more than 62,000 code results at the time of this writing. Note that this is not a vulnerability in Docker code, but rather a security misconfiguration of Docker container.

If you haven't recently audited your containers, there's a chance this misconfiguration may affect you!

Testing

Execute Operator's Is my Docker container vulnerable to a Docker socket escape? TTP on each Docker container in your environment to test if you are vulnerable.

The chain checks if the agent is running within a Docker container. Next, it checks if the docker.sock file exists in the filesystem. Finally, it will attempt to run a command on the host system to demonstrate the container escape.

Remediation

The recommended remediation is to unmount docker.sock from the container.

Check out the TTP Escape Docker container using Docker socket on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Are we in a Docker environement?
Enumerate docker socket from within a container
Escape Docker container using Docker socket

Tags

docker