Docker security

Docker host attacks : Misconfigured Docker Socket

By default, Docker runs through a non-networked UNIX socket located at /var/run/docker.sock. If the Docker socket is exposed locally or remotelly, any user who can interact with it from a Docker client can act as he is on the host itself running docker commands and sometimes can take over the full environment. Unfortunetly, you can find a large number of servers that expose docker.sock to the internet (using Shodan for example).

In the following video, an attacker leverages an unprotected Docker TCP socket running locally to escalate privilege and retrieve files on root file system.