Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Docker Vulnerability Gives Arbitrary File Access to Host

A newly disclosed vulnerability in Docker could be exploited by a malicious attacker to escape the container and gain arbitrary read/write file access on the host with root privileges.

A newly disclosed vulnerability in Docker could be exploited by a malicious attacker to escape the container and gain arbitrary read/write file access on the host with root privileges.

Tracked as CVE-2018-15664, the flaw is a time of check to time of use (TOCTOU) bug. Such issues are a subset of race condition vulnerabilities that are caused by a mismatch between the conditions when a resource is checked and when it is used by an application. 

Such bugs allow attackers to modify a resource in this interval to read or modify data, escalate privileges, or cause the application to behave differently.  

The vulnerability impacts all Docker versions and resides in the FollowSymlinkInScope function, which was meant to resolve paths safely as though they were inside the container, Aleksa Sarai, Senior Software Engineer (Containers), SUSE Linux, explains

After being resolved, the path “is passed around a bit and then operated on a bit later,” Sarai notes. Thus, if an attacker can add a symlink component to the path in this interval, the symlink path component could end up being resolved on the host as root. 

In the case of ‘docker cp’, the path is opened when creating the archive that is streamed to the client and the vulnerability could provide read *and* write access to any path on the host.

“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers — but that only helps with his particular attack through FollowSymlinkInScope),” Sarai notes. 

The issue, the engineer explains, can affect the host filesystem, unless the Docker daemon was restricted through AppArmor. 

Advertisement. Scroll to continue reading.

Sarai presented two reproducers of the issue, both of which include a Docker image containing a simple binary that attempts to hit the race condition. One of the scripts, run_read.sh, has a <1% chance of hitting the race condition, while the other, run_write.sh, can overwrite the host filesystem in very few iterations. 

“The scripts will ask for sudo permissions, but that is only to be able to create a “flag file” in /. You could modify the scripts to target /etc/shadow instead if you like,” Sarai explains. 

A patch has been submitted upstream, but it might take a while before the issue is resolved for users. 

Related: No Root Password for 20% of Popular Docker Containers

Related: Docker Hub Breach Hits 190,000 Accounts

Related: Exploit Code Published for Recent Container Escape Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.