Privileged Ports Mapped In Container

  • Query id: bc2908f3-f73c-40a9-8793-c1b7d5544f79
  • Query name: Privileged Ports Mapped In Container
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
services:
  dhcpd:
    image: networkboot/dhcpd:latest
    container_name: dhcpd
    ports:
      - 67:67/udp
    networks:
      - privnet
  dhcp_client:
    build: dhcp_client
    container_name: dhcp_client
    ports:
      - 68:68/udp

networks:
  privnet:
    ipam:
      config:
        - subnet: 192.168.0.0/24
Positive test num. 2 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "7000:80"
    network_mode: "LDC"
Positive test num. 3 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "70:8000"
    network_mode: "LDC"

Positive test num. 4 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "70-8000"
    network_mode: "LDC"
Positive test num. 5 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "80"
    network_mode: "LDC"
Positive test num. 6 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "90-9091:8080-8081"
    network_mode: "LDC"
Positive test num. 7 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "9090-9091:80-8081"
    network_mode: "LDC"
Positive test num. 8 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "49100:22"
    network_mode: "LDC"
Positive test num. 9 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1:80:8001"
    network_mode: "LDC"
Positive test num. 10 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1::50"
    network_mode: "LDC"
Positive test num. 11 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "12400-12500:124"
    network_mode: "LDC"
Positive test num. 12 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 80
        published: 8080
        protocol: tcp
        mode: host
    network_mode: "LDC"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
services:
  dhcpd:
    image: networkboot/dhcpd:latest
    container_name: dhcpd
    ports:
      - 6700:6700/udp
    cap_drop:
      - NET_BIND_SERVICE
    networks:
      - privnet
  dhcp_client:
    build: dhcp_client
    container_name: dhcp_client
    ports:
      - 6800:6800/udp

networks:
  privnet:
    ipam:
      config:
        - subnet: 192.168.0.0/24
Negative test num. 2 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "7000:8000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 3 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "7000-8000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"

Negative test num. 4 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "8000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 5 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "9000-9091:8080-8081"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 6 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1:8000:8001"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 7 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "127.0.0.1::5000"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 8 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - "12400-12500:1240"
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 9 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 8080
        protocol: tcp
        mode: host
    cap_drop:
      - NET_BIND_SERVICE
    network_mode: "LDC"
Negative test num. 10 - yaml file
version: '2.1'

services:
  webapp:
    container_name: webapp
    build: ./webapp
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://0.0.0.0:80
      - TradeUrl=http://trading.api
    ports:
      - target: 8000
        published: 8080
        protocol: tcp
        mode: host
    cap_drop:
      - CHOWN
    network_mode: "LDC"