Docker Engine API is accessible without authentication
Description
The Docker Engine API is a RESTful interface that allows remote management of Docker containers, images, networks, and volumes. This API should be protected by authentication mechanisms such as TLS client certificates or access controls.
This vulnerability indicates that the Docker Engine API is exposed and accessible over the network without any authentication requirements, allowing unrestricted access to anyone who can reach the endpoint.
Remediation
Immediately restrict access to the Docker Engine API using one or more of the following methods:
1. Disable Remote Access (Recommended if not needed):
If remote API access is not required, configure Docker to listen only on a local Unix socket. Edit the Docker daemon configuration file (/etc/docker/daemon.json) or systemd service file to remove any TCP socket bindings (e.g., -H tcp://0.0.0.0:2375).
2. Enable TLS Authentication:
If remote access is required, configure TLS with client certificate authentication. Generate CA, server, and client certificates, then configure the Docker daemon to require verified client certificates:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem"
}3. Implement Network-Level Access Controls:
Use firewall rules (iptables, security groups, network policies) to restrict access to the Docker API port (typically 2375/2376) to only trusted IP addresses or networks.
4. Use an Authentication Proxy:
Deploy a reverse proxy with authentication (such as nginx with basic auth or OAuth) in front of the Docker API.
After implementing controls, restart the Docker daemon and verify that unauthenticated access is blocked.