Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24961: Should you expose Portainer (or Agent) to the Internet??

In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.

CVE
#google#git#kubernetes

Should you expose Portainer (or Agent) to the Internet??

by Neil Cresswell, on December 19, 2021

This is a question we get asked over and over, and its likely that for the 10 that ask the question, there are another 1000 that dont ask, and just do…

So, should you expose Portainer (or our agent) to the Internet…

Well, if you want the short answer, its NO… but for the longer answer, read on.

Portainer is an administrative tool with a very high degree of privilege and access to your container environent; as a result, access TO Portainer itself should be strictly controlled. If you are familiar with VMware, ask yourself, would you expose vCenter direct to the internet? I think not. How about your Cloud Provider portals, would you expect the cloud provider to allow logins without some form of 2 factor authentication in front of their UI or API? Nope…

Its with shock that we note the Shodan.io tool lists 5,710 instances of the Portainer Agent exposed to the internet, and a staggering 31,677 instances of Portainer itself. Remember this tool also shows the IP addresses listening on these Ports, so think long and hard as to whether you want/need your instances public.

Portainer has two agents; our standard agent, and our edge agent (as shown below).

The standard Agent is designed for use WITHIN YOUR LAN/WAN, and the Edge Agent is designed to manage container environments connected to the public internet. If you are using our standard agent, and you have exposed it to the internet (by publishing port 9001 publically), then might we suggest that you rethink this strategy. If nothing else, you should have a firewall ACL in place that only allows access to port 9001 from trusted IPs (namely, the public IP of your Portainer instance). If you have 9001 exposed to the internet without any form of protection, you need to reconsider.

The Edge agent does not require ANY inbound ports, as it connects back to Portainer over the internet using a secure tunnel… This is why its recommended whenever you have container environments remote that you need to connect to over the internet.

Now, in regards to exposing Portainer (HTTP:9000 / HTTPS:9443); please make sure you are using our External Authentication capability and integrate Portainer with a trusted authentication provider that includes 2FA (eg Github Auth, Google Auth, Azure Auth)… you should never rely on JUST a password for something as critical as Portainer. This external auth is included for free in Portainer CE (oAUTH, Custom) - see docs.portainer.io if you need guidance on how to configure this.

In an upcoming version of Portainer (2.11.1) we will be making (likely breaking) changes to the regular agent to bolster its security, as we need to provide additional protection for those not following the above recommendations.

Neil

Interested in running Portainer in a business environment?

Portainer Business is our fully featured, fully supported business product. It is used by some of the largest organizations in the world to deliver a powerful self-service container management experience for developers and IT teams. With more than 500,000 active users, Portainer is proven to be the simplest and most effective way of managing Docker, Swarm, and Kubernetes environments.

GET 5 NODES OF PORTAINER BUSINESS FREE

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907