The ability of cryptocurrency hackers to exploit a security glitch displays in vivid relief a major vulnerability that haunts container technology.
DockerOpens a new window , an open-source project that automates the deployment of code inside software containers, has been found to have a vulnerability in its system, now known as CVE-2019-5736Opens a new window . Its virtualization technology has enabled companies to use application programming interfaces, known as APIs, to develop, deploy and run their applications inside containers.
But if companies do not set up their configurations adequately or properlyOpens a new window to use DockerOpens a new window , attackers have a ready route to gain access to administration rights on the company’s service and install their own software.
“The Docker remote API is a great way to control your remote Docker host, including automating the deployment process and controlling the state of your containers, saysOpens a new window Vitaly Simonovich of Imperva, the cyber security software company. “With this great power comes a great risk: If the control gets into the wrong hands, your entire network can be in danger.â€
And that appears to be exactly what has happened for about 400 of the 3,800 Docker hosts found to be potentially at risk, according to Imperva’s warning. It is a vulnerability that anonymous cryptocurrency hackers are using to their own advantage. Most of the 400 hosts were already running a hack on Monero, an open-source cryptocurrency.
“The flaw in runC (a lightweight portable container runtime) and Docker that this vulnerability exposes allows an attacker to escape a container and access the underlying file system,†explains Sandra Henry-Stocker on the Network World website.
Monero is considered a desirable target precisely because it contains an obscured ledger, meaning that its transactions are difficult to trace for either a source or destination. This design provides hackers with an opportunity to use Monero funds without getting detected.
“In the six-year history of the company, Docker containers are downloaded 85 trillion times, showing the potential extent of the crypto mining threat,†saysOpens a new window CryptoNewsZ. “The concern is that hundreds of Docker hosts have been potentially compromised.†If the runC flaw is exploited, the website says, it’s a sign that administrators have not corrected the problem.
Hacking cryptocurrencies is not the only way that attackers can take advantage of the Docker vulnerability. The access opens up the potential for stealing data, masked IP attacks, phishing campaigns or implementing a botnet on the system. But there has not been evidence that any such attacks have taken place yet.
Fortunately, there is a protection method: the vulnerability in the Docker system cannot be accessed if users enable the appropriate security mechanisms in Linux, known as SELinux, And the most recent versions of Docker, v18.09.2 or later, also fix the flaw. Yet the exposure illustrates that any container is only as safe as the Linux system behind it.
“This vulnerability (CVE-2019-5736) demonstrates that container security is Linux security,†saysOpens a new window Scott McCarty, principal product manager for Containers at Red Hat. “The same steps that must be taken to better secure a Linux system need to be taken with container hosts and images, preferably by constructing layers of defense.â€
Other programs have had problems with Monero code being surreptitiously installed for under-the-radar cryptocurrency mining, an indication that this kind of crypto-jacking may be on the rise. Microsoft recently removed eight Windows 10 applications from its app store after a security firm demonstrated that the Monero mining code was present.
“They reportedly work by triggering Google Tag Manager in their domain servers to fetch a coin-mining JavaScript library,†saysOpens a new window Marie Huillet of Cointelegraph. “Once the mining script is activated, the target’s computer CPU cycle is hijacked to mine XMR for the app developers.â€