ECS task definition has 'NET_RAW' capability Affecting ECS service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Containers / Capabilities

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CSA-CCM NIST-800-53 PCI-DSS
  • Snyk ID SNYK-CC-00108
  • credit Snyk Research Team

Description

ECS task definitions should not add Linux capabilities beyond defaults and should drop 'NET_RAW'. Adding capabilities allows users to grant some superuser permissions to a process without running that process as root. Either drop 'NET_RAW' and do not add any other capabilities, or drop 'ALL' and only add back the capabilities that you need.

How to fix?

In the container_definitions block, set linuxParameters.capabilities.drop to include NET_RAW or ALL. If set to ALL, ensure NET_RAW is not included in linuxParameters.capabilities.add.

Example Configuration

resource "aws_ecs_task_definition" "valid_drop_net_raw_only" {
  family = "valid_drop_net_raw_only"

  container_definitions = <<EOF
[
  {
    "name": "valid_drop_net_raw_only",
    "image": "hello-world",
    "memory": 128,
    "linuxParameters": {
      "capabilities": {
        "drop": ["NET_RAW"]
      }
    }
  }
]
EOF

  requires_compatibilities = ["EC2"]
}

References