Detected Linux/Hildegard.A!MTB in drone/drone-runner-docker:1

Hi

Have tried to backup my docker images and Windows Defender flagged the following in a docker image archive for the following image

drone/drone-runner-docker      1           56dddb548a45

The current existing image, 7b3d49b4424c, on dockerhub, is also having the same scan result.

  1. May I seek clarification why it is flagged?

  2. How should users respond to this flagged issue?

  3. As drone-runner docker container has access to /var/run/docker.sock, is there any risk of remote execution?

Thanks

Update #1
I have also submitted the docker image tar for scanning on virus-total, 16 providers flagged threats in the submitted file. Refer to VirusTotal

This looks like a false positive where tmate is being flagged by your scanner.

Tmate is a remote session tool that is included in the docker image. It facilitates our remote debugging feature which you can read more about here:
https://discourse.drone.io/t/feature-preview-debug-mode/8344

Tmate is a legitimate tool and is used by other CI providers like Travis:
https://docs.travis-ci.com/user/running-build-in-debug-mode/#connecting-to-the-job-running-in-the-debug-mode

If you look at the Virus Total dashboard you provided you can see that many providers are flagging as a potential threat and not a virus (Not-a-virus:HEUR:RemoteAdmin.Linux.Tmate.a). This makes sense because although Tmate is a legitimate tool with legitimate uses, attackers bundled Tmate with trojan malware for its reverse shell capabilities [1], hence why it is flagged as a potential threat.

[1] Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes

1 Like

Hi

Will harness consider releasing a version (maybe production) of docker runner, that do not deliver with tmate in it?

It might be difficult to justify to IT security department in the case which we are supposed to use them in a production (not leveraging debugging) environment, and prefer less attacking vector if possible.

Regards
kytay

I understand the concern, but can re-assure that the existence of this binary does not expose an attack vector.

I recommend reaching out to the vendor that provides your scanning service and alerting them that they are flagging false positives and identifying tmate as a potential threat, despite being legitimate software. Otherwise I am sure your corporate security team understands that sometimes these scanning services flag false positives, in which case exceptions need to be made.

Will harness consider releasing a version of docker runner, that do not deliver with tmate in it?

Alternatively the source code is public, which means you can build from source and remove the tmate binary from the dockerfile [1][2]. Or in lieu of building from source, you may be able to use our official docker image as a base when building and publishing your own custom image:

FROM drone/drone-runner-docker:1-linux-amd64 as drone

FROM scratch

ENV GODEBUG netdns=go
ENV DRONE_PLATFORM_OS linux
ENV DRONE_PLATFORM_ARCH amd64

COPY --from=drone /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=drone /bin/drone-runner-docker /bin/

LABEL com.centurylinklabs.watchtower.stop-signal="SIGINT"

ENTRYPOINT ["/bin/drone-runner-docker"]

NOTE: the above Dockerfile assumes your are using Linux amd64. The Dockerfile copies the runner binary from our official image into a scratch image (which is an empty image). This scratch image will not contain the tmate binary, which should prevent the image from being flagged by your scanner, but also means you will be unable to use Drone’s remote debugging feature.

[1] https://github.com/drone-runners/drone-runner-docker/blob/master/BUILDING.md
[2] https://github.com/drone-runners/drone-runner-docker/blob/master/docker/Dockerfile.linux.amd64

1 Like