All versions of Docker are vulnerable to serious flaw, but a patch is being reviewed
A researcher has discovered that all versions of Docker are currently vulnerable to an unpatched flaw that result in attackers both read and write access to any file on the host system.
The flaw was discovered by Aleksa Sarai, senior software engineer at SUSE Linux, who has discussed the issue with the Docker security team and has agreed it is reasonable to disclose it.
Docker has had a couple of issues recently. In February researchers uncovered a serious bug in Docker and other popular operating system-level virtualisation tools that could allow a malicious container to take over a host system.
Sarai revealed in his advisory on the matter that he has submitted a patch upstream for the flaw, but this patch is still undergoing a code review.
“The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack,” wrote Sarai. “The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client).”
“If an attacker can add a symlink component to the path *after* the resolution but *before* it is operated on, then you could end up resolving the symlink path component on the host as root,” he explained. “In the case of ‘docker cp’ this gives you read *and* write access to any path on the host.”
“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers,” Sarai cautioned. “Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem – I haven’t verified if the issue is as exploitable under the default SELinux configuration on Fedora/CentOS/RHEL”
The flaw was picked up by a security expert, who said the case highlights the potentially vulnerability of container framworks.
“One of the security issues of containers is that if one container framework has a vulnerability, that single point of failure affects all the framework users,” explained Eoin Keary, CEO and co-founder of edgescan.
“Developers utilising the framework can’t be blamed, as the issue is foundational across all tenants,” said Keary. “Frameworks are components of an overarching system and, historically, component security is a significant point of weakness when it comes to the potential of a breach via hacking.”
Docker is an increasingly popular technology that began life as a container platform for Linux developers.
But now it allows all types of organisations to run applications, and it isn’t just a technology used by small companies. In fact, most adoptions are apparently by organisations that are monitoring 500 or more server hosts.
But implementing a system like Docker’s container platform can require certain skills, and so Docker is offering Docker EE that aims to remove some of the complexity for corporate implementations.
Essentially Docker EE is a package of tools available out of the box. It is designed to work across any supported Linux, Windows or cloud platforms, such as Microsoft Azure or AWS for example.
Last year Docker released a new version of its Enterprise Edition (Docker EE), which supported IBM Z and Windows Server 2016, and was touted as the first Containers-as-a-Service (CaaS) solution in the market.
How well do you know the cloud? Try our quiz!