CRITICAL: Accessible Docker Service Report

DESCRIPTION LAST UPDATED: 2023-12-11

DEFAULT SEVERITY LEVEL: DOCKER

Introduction

This report identifies accessible Docker servers on port 2375/tcp. As described in Wikipedia, Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers.

In this scan we are identifying the underlying Docker service platform (the host) that can run containers.

How we scan 

We scan by sending a HTTP GET /version request to port 2375/tcp and await a Docker response.

You can replicate our scan by using the following zgrab2 command:

zgrab2 http -p 2375 --endpoint="/version"

Based on the response received some data may also be tagged CVE-2019-5736  (tag is triggered on BuildTime < 2019-02-11), which may allow for host root access to be obtained.

As of 2022-07-04, we see 551 accessible Docker services worldwide – with 290 of these tagged additionally with CVE-2019-5736.

Dashboard

You can track latest Docker scan results on the Shadowserver Dashboard.

Mitigation

It is unlikely that you need to have a Docker service allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive this report from us for your network or constituency make sure to firewall traffic to this service or place it behind a VPN. Make sure to upgrade if your instance is tagged with CVE-2019-5736!

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename: scan_docker

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that is being queried (port 2375 is the default, others may be added over time)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "docker". May also contain CVE-2019-5736 if this is detected based on the Docker build_time.
  • version
    Docker version
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the identified device belongs to
  • http
    HTTP response type (HTTP/1.1, etc)
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • http_reason
    The text reason to go with the HTTP Code
  • content_type
    The MIME type of the body of the request
  • server
    HTTP server type, Apache or the like
  • date
    Date returned in the HTTP response headers
  • experimental
    Is the experimental flag set?
  • api_version
    Docker api version
  • arch
    Architecture (arm/amd/etc)
  • go_version
    Version of Golang docker was compiled with
  • os
    Operating system that docker is running on top of
  • kernel_version
    Kernel of the host OS
  • git_commit
    Tag when built from source
  • min_api_version
    Minimum version of the API that can talk to docker
  • build_time
    Timestamp of when docker was compiled
  • pkg_version
    Package version (may be empty)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","sector","http","http_code","http_reason","content_type","server","date","experimental","api_version","arch","go_version","os","kernel_version","git_commit","min_api_version","build_time","pkg_version"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,2375,node01.example.com,docker,24.0.7,64512,ZZ,Region,City,0,,,HTTP/1.1,200,OK,application/json,"Docker/24.0.7 (linux)","Sat, 25 Nov 2023 00:04:57 GMT",false,1.43,amd64,go1.20.10,linux,4.18.0-348.7.1.el8_5.x86_64,311b9ff,1.12,2023-10-26T09:08:20.000000000+00:00,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,2375,node02.example.com,docker,24.0.7,64512,ZZ,Region,City,0,,,HTTP/1.1,200,OK,application/json,"Docker/24.0.7 (linux)","Sat, 25 Nov 2023 00:04:58 GMT",false,1.43,amd64,go1.20.10,linux,5.10.134-15.al8.x86_64,311b9ff,1.12,2023-10-26T09:08:20.000000000+00:00,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,2375,node03.example.com,docker,24.0.7,64512,ZZ,Region,City,0,,,HTTP/1.1,200,OK,application/json,"Docker/24.0.7 (linux)","Sat, 25 Nov 2023 00:04:56 GMT",false,1.43,amd64,go1.20.10,linux,3.10.0-1160.102.1.el7.x86_64,311b9ff,1.12,2023-10-26T09:10:36.000000000+00:00,

Our 131 Report Types

« Back to Network Reporting