Cisco Talos' discovery that the Alpine Linux distribution Docker image came with a blank root password (CVE-2019-5021) led to the discovery that 194 of the top 1000 most popular Docker containers also have no root passwords.
As part of their report, Cisco Talos' researchers said that "The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilize Linux PAM [Pluggable Authentication Modules], or some other mechanism which uses the system shadow file as an authentication database."
This shows that even if a Docker container does come with a blank root password, potential attackers might only be able to exploit this flaw only if a very specific combination of requirements is met.
The Docker containers with no root passwords were found by Kenna Security's principal security engineer Jerry Gamblin after he decided to scan the 1000 most popular containers with the end goal of finding out if there were other passwordless containers.
After @TalosSecurity reported @alpinelinux had a nulled root password (CVE-2019-5021) I wondered how common that was so I wrote a script to check the 1000 most popular containers from @Docker hub.
— Jerry Gamblin (@JGamblin) May 20, 2019
It ended up being 20% of themhttps://t.co/yuAF27UXYF
The custom script used for finding null root containers after checking each container's /etc/shadow file for "root:::0:::::" allowed him to discover that 194 containers out of 1000 most popular on the Docker store come with root accounts that have no password, with many of them having over 10 million downloads and hundreds of stars.
Gamblin published a sorted list of all Docker containers found to have no root passwords HERE, while the full list of containers checked using the script can be found HERE.
"In all, on Saturday, May 18th, when I ran the script, 194 of the most popular containers had nulled root passwords. Some of the most known names of that list being govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere. kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls," stated the researcher in his analysis.
Configuration-based security concerns
Allowing users to login as root without the need of a password drastically increases the possibility of exposing the system to a security breach.
"Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system," said Gamblin.
Docker containers which get breached have been used as part of cryptojacking campaigns as far back as 2018, with multiple instances of cryptocurrency-mining malware being deployed on vulnerable, publicly exposed or misconfigured Docker services [1, 2, 3, 4, 5].
Having them deployed with root accounts without any passwords definitely increases the risk of the cloud environments they're installed on being compromised and subsequently being abused as part of similar malicious campaigns if the service or app exposed comes with a vulnerable configuration.
.jpg)
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now