Container Escape in Cockroachdb

Container escape in Cockroachdb environments typically occurs through exploitation of the database's interaction with the host filesystem and Docker runtime. The most common attack vectors target Cockroachdb's data directory mounting, node ID configuration files, and the database's ability to execute shell commands through SQL interfaces.

Attackers often exploit the fact that Cockroachdb nodes store sensitive configuration in plain text files within the container's filesystem. When these directories are mounted from the host, an attacker with SQL access can potentially read or modify these files using Cockroachdb's import and export functionalities, which can be abused to traverse the filesystem beyond the intended data directory.

A particularly dangerous pattern involves the crdb_internal.node_info system table, which exposes node configuration details including the store_id and store_path. An attacker can use this information to craft SQL queries that traverse parent directories, especially when combined with Cockroachdb's IMPORT statements that accept file paths.

Here's a concrete example of how container escape can manifest:

SELECT import INTO foo FROM '/proc/self/cwd/../../etc/passwd';

This query attempts to read the host's /etc/passwd file by leveraging Cockroachdb's import functionality to traverse outside the intended data directory. The success of such an attack depends on how the container's filesystem is mounted and whether Cockroachdb has been configured with appropriate path restrictions.

Another attack vector involves Cockroachdb's BACKUP and RESTORE commands. When these commands are configured to write to or read from host-mounted directories, an attacker can potentially manipulate the paths to access sensitive host files. For example:

BACKUP DATABASE bank TO 'file:///host/path/to/escape/../../etc/shadow';

The database's ability to execute shell commands through user-defined functions or extensions also presents a risk. While Cockroachdb doesn't natively support arbitrary shell execution, third-party extensions or misconfigured UDFs could provide this capability, allowing attackers to execute commands that escape the container.

Detecting container escape vulnerabilities in Cockroachdb requires a multi-layered approach that examines both the database configuration and runtime behavior. The first step is analyzing how Cockroachdb nodes are deployed and what filesystem permissions are granted.

middleBrick's scanner specifically targets Cockroachdb's attack surface by testing for path traversal vulnerabilities in IMPORT, EXPORT, BACKUP, and RESTORE operations. The scanner attempts to access known sensitive files outside the data directory using Cockroachdb's SQL interface, looking for successful reads or error messages that reveal filesystem structure.

Key detection patterns include:

• Testing IMPORT statements with parent directory traversal (../) sequences
• Attempting to access /proc filesystem entries to enumerate host processes
• Checking crdb_internal.node_info for exposed configuration paths
• Testing BACKUP path manipulation attempts

Here's an example of what middleBrick's detection engine tests:

-- Path traversal detection test
SELECT import INTO test FROM '/proc/self/cwd/../../../../etc/passwd';

-- Node info exposure test
SELECT store_path, store_id FROM crdb_internal.node_info;

-- Backup path manipulation test
BACKUP DATABASE system TO 'file:///tmp/../../../../etc/passwd';

The scanner also examines Cockroachdb's configuration files for overly permissive settings. Configuration files like cockroach.conf or environment variables that control filesystem access are analyzed for dangerous defaults. middleBrick specifically looks for:

• Absence of --external-io-dir restrictions
• Unrestricted COCKROACH_USER permissions
• Missing COCKROACH_SECURE_ENCLAVE settings

Runtime detection involves monitoring for unusual SQL patterns that suggest exploitation attempts. middleBrick's LLM/AI security module includes specific checks for SQL injection patterns that could lead to container escape, analyzing query structures for path traversal indicators and unusual file access attempts.

Remediating container escape vulnerabilities in Cockroachdb requires a defense-in-depth approach that combines configuration hardening, filesystem restrictions, and SQL-level controls. The most effective remediation starts with proper container deployment practices.

First, always use Cockroachdb's --external-io-dir flag to restrict filesystem access to specific directories. This flag limits where IMPORT, EXPORT, BACKUP, and RESTORE operations can read from or write to:

# Start Cockroachdb with restricted filesystem access
cockroach start \
--external-io-dir=/var/lib/cockroach/io \
--store=/var/lib/cockroach/data \
--log-dir=/var/lib/cockroach/logs

Second, implement filesystem permissions that prevent container processes from accessing host files outside the intended directories. Use Docker's --read-only flag and mount only necessary volumes:

# Docker run command with security best practices
docker run -d \
--read-only \
--volume /var/lib/cockroach/data:/cockroach/cockroach-data:rw \
--volume /var/lib/cockroach/io:/io:rw \
--volume /var/lib/cockroach/logs:/logs:rw \
--user 999:999 \
cockroachdb/cockroach:latest start

Third, use Cockroachdb's SQL-level security features to prevent unauthorized file access. Create a security schema that restricts dangerous operations:

-- Create a restricted user with limited permissions
CREATE USER restricted_user WITH PASSWORD 'strong_password';

-- Revoke dangerous privileges
REVOKE ALL ON SCHEMA public FROM restricted_user;
REVOKE ALL ON DATABASE system FROM restricted_user;

-- Create a secure schema for allowed operations
CREATE SCHEMA secure_operations;
GRANT USAGE ON SCHEMA secure_operations TO restricted_user;

-- Only allow specific, safe operations
GRANT EXECUTE ON FUNCTION import_csv TO restricted_user;
GRANT EXECUTE ON FUNCTION export_csv TO restricted_user;

Fourth, implement network-level controls to prevent lateral movement. Use Cockroachdb's --host and --port flags to bind only to necessary interfaces, and combine with Docker's network isolation:

# Bind to specific interface and use network isolation
docker run -d \
--network cockroach-net \
--ip 172.20.0.10 \
--publish 26257:26257 \
--publish 8080:8080 \
cockroachdb/cockroach:latest start --host=172.20.0.10

Finally, implement regular security scanning with middleBrick to detect configuration drift and new vulnerabilities. The scanner can be integrated into your CI/CD pipeline to automatically test for container escape vulnerabilities before deployment:

# GitHub Action workflow for continuous security scanning
name: Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Run middleBrick scan
      run: |
        npm install -g middlebrick
        middlebrick scan https://cockroachdb.example.com:26257 --output security-report.json
    - name: Fail on high severity findings
      run: |
        if jq '.risk_summary.severity ==