NewsBlur, an RSS news reading app for the web and mobile devices, recently had one of its databases deleted thanks to an insecure default setting that has dogged developers using Docker since 2014.
In a blog post this week, Samuel Clay, founder of NewsBlur, recounted how an unknown vandal deleted a database from his app's dockerized MongoDB cluster using a "Docker footgun" – something setup in a way that promotes shooting oneself in the foot, so to speak.
The incident happened as Clay was in the process of moving NewsBlur, which relies on PostgreSQL, MongoDB, Redis, Elasticsearch databases currently, to Docker containers in preparation for a redesign. He switched the app's MongoDB cluster over to the new servers and shut down the original server, intending to delete it after the new setup proved stable.
Clay explains that the Uncomplicated Firewall (uwf) he enabled on his internal servers didn't work as expected on a new server because of an insecure Docker default.
"When I containerized MongoDB, Docker helpfully inserted an allow rule into
iptables, opening up MongoDB to the world," he explained. "So while my firewall was 'active,' doing a
sudo iptables -L | grep 27017 showed that MongoDB was open to the world."
The exposed database appears to have been spotted and deleted by an automated ransomware script after about three hours. Clay said he was alerted to the disaster when he received an error message from NewsBlur on his phone. It included "drop" in the error message, the SQL data definition language command for deleting databases.
Upon examining his MongoDB installation, he found a new empty database named "READ__ME_TO_RECOVER_YOUR_DATA" that included a demand for 0.03 BTC (~US$1,094).
Clay had no reason to pay the ransom, however, because he determined no data had actually been stolen and he had a backup of the erased database.
- NCSC chief: Ransomware is more of a threat to Britain than hostile nations' spies
- Good news for pentesters and network admins: US issues ransomware guidance asking biz to skill up security teams
- Update Docker: Fun bug involving file paths and shared libraries turns out to be a security hole
- If you're using Harbor as your container registry, bear in mind it can be hijacked with has_admin_role = True
Looking through his MongoDB access logs, he was able to spot two connections that occurred right before the deletion that came from a Tor exit node. While some site owners block IP addresses associated with Tor exit nodes, Clay said NewsBlur has not done so to allow people in internet-censored countries to bypass content restrictions and to promote free speech.
The Docker footgun – installing Docker on Ubuntu Linux that silently bypasses firewall rules – has been a matter of concern among developers for the past seven years. The problem is widely known enough that various online posts offer workaround advice.
The Register asked Docker why it hasn't implemented a more secure default but we've not heard back. Docker's documentation does warn that it manipulates
iptables, the command line utility is used for IP packet filtering rule configuration.
We put the same question to Clay, who responded, "Your guess is as good as mine. It’s sort of like the trade off between convenience and security. Here convenience won out." ®