Docker socket should not be mounted into containers
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | MEDIUM | Kubernetes | NETWORK |
Description
The Docker socket allows the Docker daemon (dockerd), which manages containers,
and the Docker Engine API, to communicate. By default, the socket is created as a file
at /var/run/docker.sock
.
Mounting docker.sock on a container allows it to manage other containers, and execute any Docker command. As the Docker service runs with root access, it also enables the container to run these commands on the host.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
A compromised container with the docker.sock mounted allows attackers to:
- Gain root access and execute commands on the host
- Manipulate other containers
- Read sensitive data from other containers
Remediation guidelines
Don't mount the docker socket unless it is absolutely necessary. Otherwise, make sure to limit the attack vectors on the container by following the best practices