Docker security

Docker registry : Corrupting Source Image

In general, keeping your system up-to-date is primordial to maintain a certain level of security. To update your running instance automatically, there is a tool named Watchtower that can be used to ensure that the latest image present in a private repository is used for a running container. If Watchtower detects that an image has changed, it will automatically restart the container using the new image.

However, this feature can be leveraged by a malicious user if he has some permissions on a docker registry. He could push a new malicious modified image that will be built and run automatically by Watchtower in a target server.

In the following video, an attacker leverages one of his permission on a private docker registry to push a new malicious image that will replace a current instance of Wordpress with the help of watchtower to get a reverse shell on the target server.