Risk of Docker backdoor allowing impersonation

I am a junior web developer. All I know is mostly about web development. I have no skills and knowledge about system security and know little about Linux.

I work in a company which is developing some embedded product. In the R&D department, some developers built a build-server for development. They make our own Docker image and run Docker, including CI/CD and Gitlab service, in this server.

This build-server connects with our AD server. Our developer could add his own public Key to this server and then remotely log in to this server with SSH and doing development in this server. We call it DevOps.

This server only works in our company’s intranet or VPN, not open for public Internet.

The above is all background information.


A few months ago I read some IT security blogs about Docker security issues. It says that because the architecture of Docker is different from traditional VM, if the Docker image is backdoored, then the whole system will be easily hacked.

If I suppose that the person who built this build-server is not a good guy, and he backdoored the Docker images, is it possible that my account in this build-server could be hacked or usurped?

I mean even I use the public key and SSH login, without typing the password manually. Does this risk still exist?

Second question: if the first question above is TRUE, what could I do to protect my self?

I mean, if the bad guy usurped my account and did something bad thing (for example, leaking development codebase of company using my account or doing other attacks using my account), how could I prove I am innocent?

I can not discuss these suspicions thinking with my colleague because I have no evidence about those things. I just worry about these becoming true, so I want to do something to prevent, just in case. I also have no authorization to check or validate the server.

What could I do? Backup my login logs of my laptop periodically? (But it seems irrelevant to the build-server.)

here is solutions:

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Solution 1

If I suppose that the person who built this build-server is not a good guy, and he backdoored the Docker images, (…)

If the administrator of the server is malicious, he could have backdoored it so that he knows every interaction you do with its service (including passwords entered there).

I mean even I use the public key and SSH login, without typing the password manually. Does this risk still exist?

A public key SSH login cannot be man-in-the-middled. There is no password that can ve reused. The server knows the public part of your ssh keys, and verifies that you have knowledge of the private one.

if the bad guy usurped my account and did something bad thing (for example, leaking development codebase of company using my account or doing other attacks using my account), how could I prove I am innocent?

Note that in your scenario he would only have access to your account in that server.


Please note that it is highly unlikely that this is going on. On every company there are system administrators (someone needs to make sure that thinks work!), and they could theoretically backdoor the systems. But this doesn’t mean they do. It would in fact be quite risky for them should they be caught. Your company should provide you a safe environment to work, and if they considered that it is safe to give access to X guy, and that turned out to be a bad idea, it’s really your company’s fault. If you showed that other people had access to your account (not by your fault, though!), that should show that it is not necessarily you who did “that very wrong thing” (an actual case would probably require a lot more detail than just looking at the account user, probably requiring a forensic analysis, etc.).

Also note that it is also possible that guy X is doing things they are not supposed to, or even breaking some internal company rules, such as storing passwords of other employees. In that case, if you found out, there should be some high-level position (an internal security team? the CISO?) to which it could (should) be reported.

Obviously, if a system may be controlled by other users, don’t store anything confidential there, avoid entering your credentials on it, etc.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply