local network container access vulnerability

[phemmer]

I have have sent several emails about this issue to security@docker.com without receiving a reply (the earliest being 3 months ago), so I'm opening the issue here.

There is a vulnerability that allows anyone on the same network as a docker host to access containers running on that host, regardless of exposed ports.

When docker starts, it enables net.ipv4.ip_forward without changing the iptables FORWARD chain default policy to DROP. This means that another machine on the same network as the docker host can add a route to their routing table, and directly address any containers running on that docker host.

For example, if the docker0 subnet is 172.17.0.0/16 (the default subnet), and the docker host's IP address is 192.168.0.10, from another host on the network run:

ip route add 172.17.0.0/16 via 192.168.0.10
nmap 172.17.0.0/16

The above will scan for containers running on the host, and report IP addresses & running services found.

To fix this, docker needs to set the FORWARD policy to DROP when it enables the net.ipv4.ip_forward sysctl parameter.

This issue is verified still present in docker 1.7.0

See also #11508.

[ewindisch]

I wouldn't classify this as a vulnerability. For some users, it's a feature. Personally, I assign each Docker host a CIDR and use OSPF to create routes to containers directly. I admit, however, this is not necessarily obvious to users and the concerns with ip_forwarding extend beyond access to containers, and in fact, I believe access to containers is the least worrisome issue with ip_forwarding. I would not be keen to have a solution which always configures these iptables rules by default.

For some history, I had already written up some thoughts 2 years ago on this, although the software has changed quite a bit since then:
#2396 (comment)

In part, at that time, I felt that we should configure iptables for users, by at the very least communicate the risk. A big problem we had was that (then) Docker was dependent on LXC, which was already enabling ip_forwarding without installing iptables rules. As a result, I think it was expected that anyone using LXC (and thus Docker) would need to be aware of this and configure their iptables as a best-practice. The problem was more or less punted as a result. Ultimately, however, many developers, not sysadmins are using Docker and it's important that we enforce best-practices, rather than simply encourage them. This is especially true now that Docker is no longer dependent on LXC and finally has network plugins on the horizon.

Finally, I agree we need to have a network configuration option which is more secure out of the box for how most users use Docker out of the box. This should include a means of securing ip_forwarding, and configuring ip_forwarding according to the practice of least-privilege (i.e. only configure the minimum interfaces necessary).

[phemmer]

The reason why I would classify this as a vulnerability is because I might be running a container on my host which should not be exposed. Maybe it's being used for development of a new product or contains some secret information. If I take my laptop to an untrusted network, these containers can be accessed. This is not obvious as the whole point of exposing ports is to make containers accessible outside the host. I do not think one would expect their container to be publicly accessible without exposing the ports for it.

[ewindisch]

@phemmer It's certainly worthy as a bug. In your example you're describing an insecure host configuration, but that doesn't necessarily mean there is a vulnerability in Docker. In many environments this behavior is not insecure and is preferable. I agree we should do more to make sure users don't configure their host insecurely, or use Docker insecurely. An option to configure a filter as you describe may be reasonable.

[cpuguy83]

Maybe if forwarding was off and docker is enabling it we should make the iptables changes to drop.
Also I'd rather just error out on the daemon if forwarding is disabled... but that's an entirely other issue.

[RRAlex]

To me, this is a serious vulnerability as this broken default contradicts the documentation, UX and security model as it is explained...
It will also make you vulnerable in any networking environment where you don't control all of your neighbours...
Also, the --icc=false --iptables=true options lose their meaning as I'm sure everyone thinks that these options isolate them from the outside, except for the exposed ports, which will indeed be the result if you port scan your machine, but it's not very hard to guess that an IP on 172.1[6-8].0.2 is going to exist most of the time and add a route to test it...
This is, again, a very dangerous default and a misleading one!

Above all, this also breaks any suggestion that an n-tier network can help you secure your docker installation. I'm surprised so many people spotted this (#11508, #3416, ...) as it's a non-intuitive thing to try, but nonetheless important...

So, maybe Docker should set FORWARD to DROP by default and only then allow routing on a per exposed service basis?
Or, if we can't change the default anymore, add some --secure-network option?

Otherwise I think it just makes it harder / more obscure for everyone to secure their installation.
What do you think? :)

[RRAlex]

Wouldn't something like the following work for most IPv4 context?

I'm basically saying, if you're coming through the external default route interface for the an IP other than that interface IP, you're out.
That following script only works in single interface, single IP(v4) situation, but could be made to work with a list of allowed IP / interfaces and than dropping the rest, or even only for the active docker bridges.
But this example is quicker to demonstrate the concept:

#!/bin/bash
EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " )
EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' )

iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP

What do you think? Anyone sees an issue with this?
It could simply be added as a flag or as a default sane behaviour.

[sanmai-NL]

When will this issue be addressed, @thaJeztah?

[phemmer]

Oh, bit of a delayed response, but something that just didn't click in my brain until now:

@ewindisch wrote:
@phemmer It's certainly worthy as a bug. In your example you're describing an insecure host configuration, but that doesn't necessarily mean there is a vulnerability in Docker.

This is incorrect. The default configuration of the system is secure. Docker is the one altering the kernel state (changing the sysctl flag) and causing the system to become insecure, not the user.

---

@RRAlex wrote:
So, maybe Docker should set FORWARD to DROP by default and only then allow routing on a per exposed service basis?

Yes, this is what I'm proposing here. The system default is net.ipv4.ip_forward=0. This is effectively the same thing as a iptables FORWARD policy of DROP, thus by setting the policy to DROP when setting ip_forward=1 you're preserving the effective behavior of the system. Now if ip_forward were already set to 1, then docker probably shouldn't touch the FORWARD policy, as the user has obviously changed it, and might have reasons for having done so that would be broken by setting FORWARD to DROP.

[WillemElbers]

@phemmer:
We tried to reproduce the issue on digital ocean (private network enabled) without success.

We installed two VMs, based on CentOs 7 with firewalld disabled; VM1 with docker-engine installed (tried version 1.7.0 and 1.11.2), and added a route from VM2 to VM1 as described in your report.

We suspect that additional filtering is done by digital ocean, blocking the traffic both in the public and private network.

Any suggestions on how we can reproduce this issue?

Background info:

With docker 1.7.0 we have the following iptables output on VM1:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:irdmi

Ip forwarding is enabled on VM1:

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1