Researcher Describes Docker VulnerabilityNo Patch Available Yet, But Exploiting the Flaw Would Be 'Challenging'
A security researcher has found a significant flaw in all versions of Docker, an open source container platform, that can give attackers read and write access to all the files within the host system, allowing them to execute arbitrary code.
As of now, there's no fix for this particular vulnerability, which has been given the designation of CVE-2018-15664, and some proof-of-concept attacks have already been spotted, Aleksa Sarai, a senior software engineer with SUSE Linux GmbH who spotted the flaw, writes in a Tuesday blog.
Still, the Docker community decided to allow Sarai to publish his finding this week while a patch is being developed.
Containers, which have grown in popularity with developers over the last several years, are a standardized way to package application code, configurations and dependencies into what's known as an object, according to Amazon Web Services.
The flaw that Sarai describes is part of Docker's FollowSymlinkInScope function, which is typically used to resolve file paths within containers. Instead, Sarai found that this particular symlink function is subject to a time-to-check-time-to-use, or TOCTOU, bug.
Normally, TOCTOU is a race condition that is possible when two or more concurrent processes are operating on a shared file system, according to researchers at Carnegie Mellon University. But a bug can occur that allows an attacker to modify these resource paths after resolution but before the assigned program starts operating on the resource. This allows the attack to change the path after the verifications process, thus bypassing the security checks, security researchers say.
"If attackers can modify a resource between when the program accesses it for its check and when it finally uses it, then they can do things like read or modify data, escalate privileges, or change program behavior," Kelly Shortridge, vice president of product strategy at Capsule8, a security company that focuses on containers, writes in a blog about the this Docker vulnerability. "This is bad news for organizations looking to uphold confidentiality and integrity of their data," Shortridge adds.
Certain conditions, however, would have to be in place for this type of attack to occur. A host administrator would have to be running "docker cp," a specific command that allows for copying files and folders between a Docker container and a host machine, at the same time the attacker is lurking in the container, according to security analysts. This means that this particular flaw cannot be remotely executed.
Additionally, there would have to be no file system restrictions on the Docker daemon.
"As far as I'm aware, there are no meaningful protections against this kind of attack (other than not allowing 'docker cp' on running containers - but that only helps with his particular attack through FollowSymlinkInScope)," Sarai writes. "Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem."
Security experts caution that companies using containers as part of their software development cycle should heed this warning because no patch is in place.
"There is no fix for this issue from Docker yet, and there aren't any other default protections that could really help with this attack beyond banning specific risky utilities within running containers (such as 'docker cp')," Shortridge writes. "There are patches in the works, but it could take a while before a safe version of Docker is available. Thus, for organizations using Docker, you can tap the panic button on this one."
In recent months, several incidents have shown why this type of technology is subject to attacks.
In February, two researchers found a flaw in runc, a lightweight tool for spawning and running containers. This particular vulnerability could be exploited by a remote attacker to execute arbitrary code in the environment (see: Major Flaw in Runc Poses Mass Container Takeover Risk).
Red Hat, Google, Amazon and other tech firms issued a series of emergency fixes at the time.
Then, in April, Docker was forced to notify users that a hacker briefly had access to sensitive data from 190,000 Docker Hub accounts (see: Docker Hub Breach: It's Not the Numbers; It's the Reach).
While containers are gaining in popularity with developers, security concerns such as the TOCTOU disclosure this week and the other flaws and breaches that happened earlier this year are evidence that attackers are eyeing possible exploits within containers, says Wei Lien Dang, vice president of product at StackRox, a security firm that specializes in containers and Kubernetes.
"As adoption of the cloud-native stack increases, we anticipate seeing more vulnerabilities like this Docker bug come to light," Dang tells Information Security Media Group, referring to the TOCTOU bug.
"In this case, the rate of success of exploiting this bug is extremely low - some estimates place it at around 1 percent," Dang adds. "The choice Docker made to agree to public disclosure prior to having a patch ready highlights that Docker is confident successful exploitation is challenging. We expect Docker will patch the bug shortly and real-world problems will be very rare."