Profile Applicability:

  • Level 1

Description:

The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker, however, allows a container port to be mapped to a privileged port, which can pose a security risk.

Rationale:

By default, if the user does not specifically declare a container port to host port mapping, Docker automatically maps the container port to one available in the 49153-65535 range on the host. Allowing privileged port mapping could lead to exposure of sensitive data or unauthorized access. Containers are executed with the NET_BIND_SERVICE Linux kernel capability, which does not restrict privileged port mapping.

Impact:

None:

  • Privileged ports are security-sensitive and should not be exposed to containers unless necessary. Allowing such mappings could potentially expose critical services to unauthorized access.

Default Value:

By default, mapping a container port to a privileged port on the host is allowed, but this should be avoided unless specifically required for applications that need to bind to ports such as 80 (HTTP) or 443 (HTTPS).

Pre-requisites:

  • Docker must be installed and configured on the host system.

  • The container should be configured without mapping privileged ports unless absolutely required.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance where Docker is running.
  2. Check the running containers and their port mappings by inspecting the container configurations for any mapping to ports below 1024.

Using AWS CLI:

  1. Run the following command to list all running containers and their port mappings:
    docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

    Review the port mappings and ensure that container ports are not mapped to host port numbers below 1024.

Implementation Plan:

Using AWS Console:

  1. Ensure that the container ports are not mapped to any privileged ports.
  2. When starting a container, avoid specifying privileged port mappings unless absolutely necessary.

Using AWS CLI:

  1. If you're running a container, avoid using the -p or --publish-all flags for privileged ports. Instead, use the following format to explicitly map only required ports:
    docker run --interactive --tty --publish 49153:49153 <image-name>

    Ensure that no EXPOSE directive in the Dockerfile exposes privileged ports below 1024.

Backout Plan:

Using AWS Console:

  1. If privileged ports have been mapped, modify the container configuration to remove these mappings.
  2. Restart the container after changes are applied to ensure that privileged ports are not in use.

Using AWS CLI:

  1. If privileged ports are mapped, modify the container's port mapping by using the docker run command with explicit, non-privileged ports:
docker run --interactive --tty --publish 49153:49153 <image-name>

References: