Skip to content

Latest commit

 

History

History
73 lines (65 loc) · 7.38 KB

attack-tree.md

File metadata and controls

73 lines (65 loc) · 7.38 KB

Attack Tree Analysis for docker/compose

Objective: To gain unauthorized access to the host system or sensitive data by exploiting vulnerabilities or misconfigurations within the Docker Compose setup of the application.

Attack Tree Visualization

Attack Goal: Compromise Application via Docker Compose Exploitation ├── OR ── Exploit docker-compose.yml Vulnerabilities [HIGH RISK PATH] │ ├── OR ── Insecure Storage/Access of docker-compose.yml [HIGH RISK PATH] │ │ ├── AND ── Publicly Accessible Repository (e.g., GitHub, GitLab) [CRITICAL NODE] │ ├── OR ── Misconfigurations in docker-compose.yml [HIGH RISK PATH] │ │ ├── AND ── Insecure Volume Mounts [HIGH RISK PATH] [CRITICAL NODE] │ │ │ ├── OR ── Host Path Mounts with Write Access [CRITICAL NODE] │ │ │ ├── OR ── Mounting Sensitive Host Paths [CRITICAL NODE] │ │ ├── AND ── Privileged Containers [HIGH RISK PATH] [CRITICAL NODE] ├── OR ── Exploit Compose's Interaction with Docker Daemon [HIGH RISK PATH] │ ├── OR ── Docker Socket Exposure (Indirectly via Compose Configuration) [HIGH RISK PATH] [CRITICAL NODE] │ │ ├── AND ── Mounting /var/run/docker.sock into Containers via docker-compose.yml [CRITICAL NODE]

Attack Tree Path: Exploit docker-compose.yml Vulnerabilities [HIGH RISK PATH]

Description: This path focuses on exploiting vulnerabilities directly related to the docker-compose.yml file itself, either through insecure storage/access or misconfigurations within the file.

  • Attack Vectors within this path:
    • Insecure Storage/Access of docker-compose.yml [HIGH RISK PATH]:
      • Attack Vector: Attackers gain access to the docker-compose.yml file due to insecure storage or access controls. This could be through publicly accessible repositories, weak file permissions on the host, or insecure configuration management systems.
      • Impact: Exposure of sensitive information like secrets, credentials, and application configuration. This can lead to direct compromise of the application and potentially the host system.
      • Mitigation:
        • Never commit secrets directly to docker-compose.yml or version control. Use environment variables, Docker Secrets, or dedicated secret management tools.
        • Implement robust access control for repositories. Ensure repositories containing docker-compose.yml are private and access is restricted to authorized personnel.
        • Restrict file permissions on docker-compose.yml on the host system. Use chmod 600 docker-compose.yml for user-only access.
        • Secure configuration management systems. Encrypt sensitive data in transit and at rest, use secure channels (HTTPS, SSH).
    • Misconfigurations in docker-compose.yml [HIGH RISK PATH]:
      • Attack Vector: Attackers exploit misconfigurations within the docker-compose.yml file that introduce security vulnerabilities. This includes insecure volume mounts and the use of privileged containers.
      • Impact: Container escape, host system compromise, data breaches, and denial of service.
      • Mitigation:
        • Insecure Volume Mounts [HIGH RISK PATH] [CRITICAL NODE]:
          • Host Path Mounts with Write Access [CRITICAL NODE]:
            • Attack Vector: Mounting host directories with write access into containers allows attackers within the container to modify files on the host system, potentially leading to container escape or host compromise.
            • Impact: Container escape, host system compromise, data modification.
            • Mitigation:
              • Avoid host path mounts with write access whenever possible.
              • Use named volumes instead of host path mounts.
              • If host path mounts are necessary, use read-only mounts (ro).
              • Restrict the paths mounted from the host to the minimum required.
          • Mounting Sensitive Host Paths [CRITICAL NODE]:
            • Attack Vector: Mounting sensitive host directories like /, /etc, or /var/run/docker.sock into containers grants excessive privileges to containers, potentially leading to full host control.
            • Impact: Catastrophic host system compromise.
            • Mitigation:
              • Never mount sensitive host paths into containers unless absolutely necessary and with extreme caution.
              • Implement strict container security profiles (AppArmor, SELinux) to limit container capabilities even if sensitive paths are mounted (though this is not a replacement for avoiding sensitive mounts).
        • Privileged Containers [HIGH RISK PATH] [CRITICAL NODE]:
          • Attack Vector: Running containers in privileged mode (privileged: true) disables container isolation and grants near-host-level access to the container.
          • Impact: Catastrophic host system compromise.
          • Mitigation:
            • Avoid privileged containers unless absolutely necessary.
            • If privileged mode is required, carefully assess the risks and implement compensating controls.
            • Use capabilities (cap_add, cap_drop) to grant only the required privileges instead of full privileged mode.
            • Implement container security profiles (AppArmor, SELinux) to further restrict container capabilities.

Attack Tree Path: Exploit Compose's Interaction with Docker Daemon [HIGH RISK PATH]

Description: This path focuses on exploiting vulnerabilities arising from how Docker Compose interacts with the Docker daemon, specifically through Docker socket exposure.

  • Attack Vectors within this path:
    • Docker Socket Exposure (Indirectly via Compose Configuration) [HIGH RISK PATH] [CRITICAL NODE]:
      • Attack Vector: Exposing the Docker socket (/var/run/docker.sock) inside containers through volume mounts in docker-compose.yml grants containers full control over the Docker daemon and, consequently, the host system.
      • Impact: Catastrophic host system compromise. Attackers within the container can use the Docker socket to control the Docker daemon, launch new containers, access host resources, and potentially escape containerization entirely.
      • Mitigation:
        • Mounting /var/run/docker.sock into Containers via docker-compose.yml [CRITICAL NODE]:
          • Mitigation:
            • Never mount /var/run/docker.sock into containers unless absolutely necessary and with extreme caution.
            • Consider alternative approaches for containerized Docker access if needed, such as using the Docker API over TCP with TLS authentication and authorization.
            • If Docker socket mounting is unavoidable, implement very strict access controls within the container and monitor container activity closely.