Privileged Ports Mapped In Container
- Query id: bc2908f3-f73c-40a9-8793-c1b7d5544f79
- Query name: Privileged Ports Mapped In Container
- Platform: DockerCompose
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
services:
dhcpd:
image: networkboot/dhcpd:latest
container_name: dhcpd
ports:
- 67:67/udp
networks:
- privnet
dhcp_client:
build: dhcp_client
container_name: dhcp_client
ports:
- 68:68/udp
networks:
privnet:
ipam:
config:
- subnet: 192.168.0.0/24
Positive test num. 2 - yaml file
version: '2.1'
services:
webapp:
container_name: webapp
build: ./webapp
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- TradeUrl=http://trading.api
ports:
- "127.0.0.1::50"
network_mode: "LDC"
Positive test num. 3 - yaml file
version: '2.1'
services:
webapp:
container_name: webapp
build: ./webapp
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- TradeUrl=http://trading.api
ports:
- "12400-12500:124"
network_mode: "LDC"
Positive test num. 4 - yaml file
Positive test num. 5 - yaml file
Positive test num. 6 - yaml file
Positive test num. 7 - yaml file
Positive test num. 8 - yaml file
Positive test num. 9 - yaml file
Positive test num. 10 - yaml file
Positive test num. 11 - yaml file
Positive test num. 12 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
services:
dhcpd:
image: networkboot/dhcpd:latest
container_name: dhcpd
ports:
- 6700:6700/udp
cap_drop:
- NET_BIND_SERVICE
networks:
- privnet
dhcp_client:
build: dhcp_client
container_name: dhcp_client
ports:
- 6800:6800/udp
networks:
privnet:
ipam:
config:
- subnet: 192.168.0.0/24
Negative test num. 2 - yaml file
version: '2.1'
services:
webapp:
container_name: webapp
build: ./webapp
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- TradeUrl=http://trading.api
ports:
- target: 8000
published: 8080
protocol: tcp
mode: host
cap_drop:
- CHOWN
network_mode: "LDC"
Negative test num. 3 - yaml file
version: '2.1'
services:
webapp:
container_name: webapp
build: ./webapp
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://0.0.0.0:80
- TradeUrl=http://trading.api
ports:
- "7000:8000"
cap_drop:
- NET_BIND_SERVICE
network_mode: "LDC"