Container Traffic Not Bound To Host Interface

  • Query id: 451d79dc-0588-476a-ad03-3c7f0320abb3
  • Query name: Container Traffic Not Bound To Host Interface
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 693
  • URL: Github

Description

Incoming container traffic should be bound to a specific host interface
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "7000:8000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Positive test num. 2 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "12400-12500:1240"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Positive test num. 3 - yaml file
version: '3.2'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 8080
        protocol: tcp
        mode: host
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1:8000:8001"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 2 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1:5000-5010:5000-5010"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 3 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      -  "127.0.0.1::5000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"

Negative test num. 4 - yaml file
version: '3.2'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 127.0.0.1:8080
        protocol: tcp
        mode: host
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 5 - yaml file
version: '3.2'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 127.0.0.1:8080-8090
        protocol: tcp
        mode: host
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 6 - yaml file
version: '3.2'

services:
  webapp:
    container_name: webapp
    build: ./
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 127.0.0.1
        protocol: tcp
        mode: host
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"