Introduction
Play-with-Docker (PWD), Docker’s playground website, allows beginners to run Docker commands in a matter of seconds. Built on a number of hosts with each running multiple student’s containers, it’s a great place to learn Docker. PWD provides the experience of having a free Alpine Linux virtual machine in a web browser where students can build and run Docker containers and experience Docker firsthand without having to first install and configure it.
This unique offering was warmly welcomed by DevOps practitioners with more than 100,000 total monthly site visits, where Docker tutorials, workshops and training are also available. The initiative was an effort originated by Marcos Nils and Jonathan Leibiusky, aided by the Docker community and sponsored by Docker.
CyberArk Labs set out to try and escape the mock container in an effort to run code on the Docker host.
The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server. Running code on the PWD server would allow an attacker unabridged root access to the PWD infrastructure, on one hand, and to all the students’ containers on the other hand. Escaping a container may be regarded as the first step in an attack against an enterprise infrastructure, since many enterprises are running public-facing containers nowadays, which may lead the attackers into the enterprise network.
CyberArk’s findings were reported to Docker and PWD maintainers, which subsequently fixed PWD.
Conclusion
Gaining host access from a Linux container should be a very difficult task, if not impossible. In this PWD example, that’s not the case.
The reason is quite simple: PWD uses a privileged container and, prior to the fix, failed to secure it properly.
This makes an escape from the PWD container to the host difficult – but not impossible as we’ve shown in this post. Injecting Linux kernel modules is only one of the paths open to a persistent attacker. Other attack paths do exist and must be securely dealt with when using privileged containers.
Stay tuned for additional research on defining and securing privileged containers.
CyberArk Labs followed the rules of responsible disclosure and alerted Play-with-Docker to the vulnerability, which it has since fixed.
Disclosure Timeline
November 6, 2018: Container escape reported to PWD maintainers
November 7, 2018: PWD maintainers responded that a fix will be implemented shortly
January 7, 2019: CyberArk confirmed that the vulnerability was fixed
