Docker has a potential security breach!!! BEWARE!

Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

Moderator: Lillian.W@AST

Post Reply
MikeG.6.5
Posts: 917
youtube meble na wymiar Warszawa
Joined: Fri May 15, 2015 1:56 am

Docker has a potential security breach!!! BEWARE!

Post by MikeG.6.5 »

I have been having the same issues a lot of others have been having with Docker apps not starting during a restart of the NAS. I have to manually go into App Central and disable Docker, then re-enable each app to get them operating correctly. The apps I typically need to do this with: Sonarr V3, Lidarr, Jackett, Tautuli and Ombi.

While I have been working this issue, hoping for some sort of fix forthcoming from Asustor, I found a security issue with the current version of Docker-CE currently in App Central. It will start an app called "kdevtmpfsi" which we see as "kdevtmpfs" in the processes tab of the Activity Monitor. This app in directly tied to the Kinsing crypto mining malware app. The following is the reply I just sent to Asustor on the Beta reporting for ADM 4.0:
Further information on the current docker image:

I did some further digging and found there is an actual security breach in the current version of the Docker we have on App Central. Somehow it installs an app called "kdevtmpfsi" which we see in the Processes tab of the Activity Monitor as "kdevtmpfs" This app always uses PID 28 from my observations. This app is associated to a crypto miner malware called Kinsing. Further troubleshooting has shown me that this app is only called while the Docker is running. After about 6 hours of up time, this app will take up to 25% of the IO Wait State as viewed with NetData, creating sluggish drive responses and creating a problem that can lead to excess raid synchronizations if the system is restarted while the app is running.

I have experienced this very issue, thinking it was a different type of problem, such as cooling of the main NAS or cooling on my AS-6004U. As such I have placed both units in a small refrigerator to help regulate the cooling, which hasn't had the impact I had anticipated.

After two to four days of up time, the server sees an IO Wait State rising upwards of 100%. Again, sluggish server responses, potential drive failures, or synchronization problems. I have noticed some traffic on my router that I couldn't figure out the cause. After disabling Docker I can only associate this additional traffic to this Kinsing app.

At this point it is paramount that Asustor update the current Docker image to one without this potential security hole. While you are updating the Docker it may also be prudent to update those apps that require it in the App Central app on the NAS. More information on this can be found at this link: https://github.com/docker-library/redis/issues/217
I will keep the forum apprised of any updates from Asustor as a result of this ticket. In the mean time, I suggest users to discontinue using the current version of Docker until we hear directly from Asustor what the plan of resolution is. If I had the option to run the apps I need natively, without the need for a Docker image I would gladly do so, but Asustor has removed that functionality from App Central a while back, and now I'm somewhat stuck.
User avatar
Nazar78
Posts: 2003
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Docker has a potential security breach!!! BEWARE!

Post by Nazar78 »

Erm, kdevtmpfs is a kernel process as described below. Take a look at its pid:

Code: Select all

root@Nimbustor4:~# ps -ef|grep kdevtmpfs
   28 root      0:00 [kdevtmpfs]
it's loaded way before the docker-ce daemon itself. If it's kdevtmpfsi then yes it's a malware that runs in the user space hogging the system resources.
// SPDX-License-Identifier: GPL-2.0
/*
* devtmpfs - kernel-maintained tmpfs-based /dev
*
* Copyright (C) 2009, Kay Sievers <kay.sievers@vrfy.org>
*
* During bootup, before any driver core device is registered,
* devtmpfs, a tmpfs-based filesystem is created. Every driver-core
* device which requests a device node, will add a node in this
* filesystem.
* By default, all devices are named after the name of the device,
* owned by root and have a default mode of 0600. Subsystems can
* overwrite the default setting if needed.
*/
https://github.com/torvalds/linux/blob/ ... devtmpfs.c
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Post Reply

Return to “Docker”