We want to review and fix the security flaws with Docker and Docker Compose for GeoNode, starting from the reports recently done by Toni (GeoNode community member).
For the moment we have the following tasks to be done:
[x] test PR from Toni with some security fixes to postgis-docker #30
[ ] upgrade Docker Compose for geonode-project to version 3.4 (as it has already been done for GeoNode) #31
[ ] upgrade Geoserver Docker image #33
[ ] implemente rootless mode #32
Here below the full report (sent by email) is reported:
Some days ago the Sysadmin of a client informed me regarding a 100% usage
of a Vm running only GeoNode. After checking the running processes I've found an infection
with a cryptominer called kinsing.
The main entrypoints of Kinsing is a not secured Docker API Port further
a not secured Redis Container/Account. Both did not match with my standard
GeoNode Project Stack.
After some resarch (yes on christmas eve :/ ) I'm nearly 100% sure to found
the entrypoint in geonode/postgis container. It looks due to an open port 5432
it was possible to inject malware by most likely one of these two expolits
This made it possible to gain access to the host server install a cronjob
and run the miner. Ah yes and the miner also tries to steel ssh keys and
spreads on other VMs :/
My recommendation:
we should update our postgis image (newer version of mdillon/postgis) with consideration of the CVE page
be careful when opening port 5432 for public (Unsure if it would be good to inform the community)
if you need access to postgis from outside bind it to localhost (127.0.0.1:5432:5432) and use a SSH Tunnel
prevent root access from containers to host by running the daemon in rootless mode or user_namespaced
https://docs.docker.com/engine/security/rootless/
You should configure it initially, be prepared that the performance tab of the monitoring app might not work anymore (just a guess)
If one of you is interested I will share my experiences how I've reconfigured our instances (start of next year) user_namespaced
(Maybe we should also mention rootless mode in docs as well)
we should check if it would be worth to rework some Dockerfiles to run as a less priviliged user
We want to review and fix the security flaws with Docker and Docker Compose for GeoNode, starting from the reports recently done by Toni (GeoNode community member). For the moment we have the following tasks to be done:
Here below the full report (sent by email) is reported:
Some days ago the Sysadmin of a client informed me regarding a 100% usage of a Vm running only GeoNode. After checking the running processes I've found an infection with a cryptominer called kinsing.
Read technical Details here: https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
And here my log, how I've stopped and cleaned the process: https://gist.github.com/t-book/d28bea5918c1e92ca84e0ed879a8588anot run as root
The main entrypoints of Kinsing is a not secured Docker API Port further a not secured Redis Container/Account. Both did not match with my standard GeoNode Project Stack.
After some resarch (yes on christmas eve :/ ) I'm nearly 100% sure to found the entrypoint in geonode/postgis container. It looks due to an open port 5432 it was possible to inject malware by most likely one of these two expolits
https://www.cvedetails.com/vulnerability-list/vendor_id-336/product_id-575/version_id-276732/year-2019/opec-1/Postgresql-Postgresql-11.2.html
The fatal part about it is most processes within the containers run as root. Which is root on host. You can easily test this as shown here: https://suraj.io/post/root-in-container-root-on-host/
This made it possible to gain access to the host server install a cronjob and run the miner. Ah yes and the miner also tries to steel ssh keys and spreads on other VMs :/
My recommendation: