Hi 👋, in this post, we’ll explore common Docker misconfigurations attackers exploit to compromise systems, such as exposed APIs and privileged containers, with detection strategies for threat hunters.
Exposed Docker APIs
Exposing Docker’s API to the internet without authentication allows attackers full control over containers.
Exploitation
Attackers use tools like Shodan to find exposed APIs on ports 2375 or 2376 and create containers remotely:
| |
Detection
- Use Nmap to scan for open Docker API ports:
| |
- Monitor API logs for requests from external IPs.
Privileged Containers
Running containers in privileged mode gives attackers root-level access to the host.
Exploitation
An attacker inside a privileged container can mount the host’s root directory:
| |
Detection
Identify privileged containers:
| |
Insecure Volume Mounts
Improper mounts of sensitive directories (like /etc or /root) give attackers access to critical host data.
Exploitation
Attackers can mount the host file system:
| |
Detection
Check for dangerous mounts:
| |
Cgroups and Namespace Escapes
Excessive privileges, like SYS_ADMIN, can break Docker’s isolation.
Exploitation
Run a container with the SYS_ADMIN capability to escape to the host:
| |
Detection
Inspect running containers for dangerous capabilities:
| |
Resource Exhaustion: Denial of Service
Containers without resource limits can overwhelm system resources, leading to Denial of Service (DoS) attacks.
Exploitation
Run a container to consume excessive CPU:
| |
Detection
Monitor resource usage with docker stats:
| |
References: