With the advent of microservice-based software architectures, an increasing number of modern cloud environments and enterprises use operating system level virtualization, which is often referred to as container infrastructures. Docker Swarm is one of the most popular container orchestration infrastructures, providing high availability and fault tolerance. Occasionally, discovered container escape vulnerabilities allow adversaries to execute code on the host operating system and operate within the cloud infrastructure. We show that Docker Swarm is currently not secured against misbehaving manager nodes. This allows a high impact, high probability privilege escalation attack, which we refer to as leadership hijacking, the possibility of which is neglected by the current cloud security literature. Cloud lateral movement and defense evasion payloads allow an adversary to leverage the Docker Swarm functionality to control each and every host in the underlying cluster. We demonstrate an end-to-end attack, in which an adversary with access to an application running on the cluster achieves full control of the cluster. To reduce the probability of a successful high impact attack, container orchestration infrastructures must reduce the trust level of participating nodes and, in particular, incorporate adversary immune leader election algorithms.

中文翻译：

---

Docker Swarm 中的领导力劫持及其后果

随着基于微服务的软件架构的出现，越来越多的现代云环境和企业使用操作系统级虚拟化，这通常被称为容器基础设施。Docker Swarm 是最受欢迎的容器编排基础架构之一，提供高可用性和容错性。有时，发现的容器逃逸漏洞允许攻击者在主机操作系统上执行代码并在云基础设施内运行。我们展示了 Docker Swarm 目前无法抵御行为不端的管理器节点。这允许进行高影响、高概率的特权升级攻击，我们将其称为领导劫持，当前的云安全文献忽略了这种可能性。云横向移动和防御规避有效载荷允许攻击者利用 Docker Swarm 功能来控制底层集群中的每个主机。我们演示了一种端到端攻击，其中可以访问集群上运行的应用程序的攻击者实现对集群的完全控制。为了降低成功的高影响力攻击的可能性，容器编排基础设施必须降低参与节点的信任级别，特别是结合对手免疫领导选举算法。