For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.
Affected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to Cisco Talos researchers who discovered the bug, tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers were available via the official Docker Hub portal since late 2015.
“This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user,” according to the Common Vulnerabilities and Exposures description.
The “empty password in configuration file” bug (CVE-2019-5021) has a critical CVSS rating of 9.8.
The vulnerability dates back to 2015 when it was originally identified and patched. However, weeks after a fix was deployed, further “regression” tests associated with the bug were conducted. Unfortunately, those tests inadvertently “removed this ‘disable root by default’ flag from the ‘edge’ build properties file, reintroducing this issue to subsequent builds,” Cisco Talos researchers wrote.
The Cisco Talos team publicly revealed its research on Wednesday, disclosed it privately to stakeholders in February. “It was discovered that this issue was also reported and made public in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco,” researchers wrote.
The impact of the bug may be limited, according to some users chiming in on GitHub. One such user, Tianon Gravi, pointed out: “No currently supported Alpine images are affected (all affected images are [end of life]), the attack vector is very narrow to begin with, and there are a couple other images we’re looking to fix (and updating our test to catch this more aggressively).”
Peter Adkins of Cisco Umbrella is credited for finding the bug.
Mitigation includes disabling the Docker images built using the affected versions as a base, Cisco Talos said. “The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database,” researchers said.