• by benjiro on 3/29/2025, 1:06:33 AM

    A interesting analyze of a intrusion capability, that seems to use the wrong conclusion:

    > What is really important (and documented)6 is that this registration does not persist across reboots of the portainer agent. This effectively means that a portainer agent with its port 9001 exposed may be taken over after a reboot if an attacker connects before the legitimate Portainer server.

    What the documentation really states:

    > For security reasons, the Edge server UI will shutdown after 15 minutes if no key has been specified. The agent will require a restart in order to access the Edge UI again.

    In other words, if a user installs the Edge Agent and does not connect to it, it will shutdown after 15 minutes. And if a serve or the docker agent restarts, it will again be exposed for 15 minutes.

    In non-agent mode, the agent will use a digital signature or secret for communication.

    If it was registered, it does not lose its persistent registration on a reboot (of the portainer agent). Author seems to have mixed up a few things.

    Yes, if you install the portainer agent and never register it, its exposed for a while and IF you reboot your server/docker agent, it will again be exposed (for a while). But its not exposed if properly registered and rebooted server/agent.

    For the rest, interesting article over the infection.