...
Disclaimer
| Warning |
|---|
- you need physical access to the router to enable support for the container feature, it is disabled by default;
- once the container feature is enabled, containers can be added/configured/started/stopped/removed remotely!
- if the router is compromised, containers can be used to easily install malicious software in your router and over network;
- your router is as secure as anything you run in container;
- if you run container, there is no security guarantee of any kind;
- running a 3rd party container image on your router could open a security hole/attack vector/attack surface;
- an expert with knowledge how to build exploits will be able to jailbreak/elevate to root;
|
security risks:
when an security expert publishes his exploit research - anyone can apply such exploit;
someone will build a docker image that will do the exploit AND provide Linux root shell;
by using root shell someone may leave permanent backdoor/vulnerability in your RouterOS system even after docker image is removed and container feature disabled;
if a vulnerability is injected into the primary or secondary routerboot (or vendor pre-loader), then even netinstall may not be able to fix it;
...