Maksim Kabakou - Fotolia
All current Docker versions contain a vulnerability that could allow an attacker to gain root-level system access. But both Docker and the security researcher who discovered the issue disclosed the flaw without a patch being made public.
Aleksa Sarai, senior software engineer on the containers team for SUSE Linux, discovered and reported the issue to the Docker security team last year and publicly disclosed the flaw on May 28. According to Sarai, while a successful exploit of the Docker vulnerability (CVE-2018-15664) would be quite difficult, it could give an attacker "read and write access to any path on the host."
"I get a <1% chance of hitting the race condition (my attack script is quite dumb, it's possible with better timing you'd be able to hit the race window much more effectively)," Sarai wrote in his disclosure. "However <1% still means it only takes 10s [seconds] of trying to get read access to the host with root permissions."
Sarai told us that, through discussions with the Docker security team, "there was some suspicion that a bug like this existed for quite some time." So, it was decided to release the public disclosure, even though a fix is under review, but not yet integrated into Docker.
"As for why the [proof-of-concept] code was released alongside it, the description of the vulnerability would've explained how to exploit it, and the exploit code is not particularly complicated. As we saw with CVE-2019-5736, delaying the disclosure of [proof-of-concept] code didn't make a difference -- someone in the community uploaded their own variant of our exploit code on exploitdb the next day," Sarai wrote via email. "Not to mention that the exploit code was already written and had been distributed to several people for testing [via a SUSE bug report]. So, to follow Openwall disclosure guidelines, we released it publicly."
Jerry Gamblin, principal security engineer at Kenna Security, based in San Francisco, said the Docker vulnerability was "an interesting attack vector and a concern that should be patched."
"Because a victim would need to launch a container containing the attack at the same time they are starting a container that is using this command to copy sensitive data, it is unlikely this vulnerability would result in a real-world attack, however," Gamblin said.
Gamblin recently discovered that approximately 20% of the top 1,000 Docker containers listed in the Docker Store did not have root passwords set.
"The lack of root passwords on containers is a result of not following a best practice and can be quickly remediated," Gamblin wrote via email. "However, when you release a vulnerability with no publicly available fix, it introduces an unmitigatable risk into the environments of anyone running that software."
Sarai said, although exploitation of the Docker vulnerability was unlikely, the only current protection would be to not allow the "docker cp" utility, which copies files between containers and local file systems, on running containers.
"Unless you have some tool or service which exposes 'docker cp' to untrusted users, [the danger is] pretty minor. There should be some concern about all of other users of FollowSymlinkInScope -- which could be vulnerable, depending on how it's used in each case -- but fixing that is significantly more complicated than 'docker cp,'" Sarai said. "I am looking into it, but it requires a fair few internal things about how Docker treats container paths."
Docker did not respond to requests for comment, but did issue a statement to Duo Security, saying exploitation of this flaw "would only be possible if the container was already compromised" and docker cp was being used.
"Users can address the issue by manually running 'docker pause' before using 'docker cp' to copy files, and 'docker unpause' after the copy has been made," Docker said in the statement. "The issue will be remediated in the next monthly release by inserting a 'docker pause' automatically, which freezes the container when a copy is being made and prevents the container from modifying the data."
Torsten George, cybersecurity evangelist at Centrify, based in Santa Clara, Calif., praised the work done by Sarai.
"Anytime hackers are offered the opportunity to exploit root privileges, which represent the 'keys to the kingdom,' you have to talk about a significant vulnerability," George said. "In case of [this Docker vulnerability], it appears that the security researcher Aleksa Sarai acted very responsibly, as he approached the impacted vendor with his findings. He even provided a proposed patch to the vendor, which is still undergoing code review. Only after seeking approval from the vendor, he made his findings public."