A researcher has discovered that all versions of Docker are currently vulnerable to an unpatched flaw that result in attackers both read and write access to any file on the host system.

The flaw was discovered by Aleksa Sarai, senior software engineer at SUSE Linux, who has discussed the issue with the Docker security team and has agreed it is reasonable to disclose it.

Docker has had a couple of issues recently. In February researchers uncovered a serious bug in Docker and other popular operating system-level virtualisation tools that could allow a malicious container to take over a host system.

New flaw

Sarai revealed in his advisory on the matter that he has submitted a patch upstream for the flaw, but this patch is still undergoing a code review.

“The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack,” wrote Sarai. “The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client).”

“If an attacker can add a symlink component to the path *after* the resolution but *before* it is operated on, then you could end up resolving the symlink path component on the host as root,” he explained. “In the case of ‘docker cp’ this gives you read *and* write access to any path on the host.”

“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers,” Sarai cautioned. “Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem – I haven’t verified if the issue is as exploitable under the default SELinux configuration on Fedora/CentOS/RHEL”

Container security

The flaw was picked up by a security expert, who said the case highlights the potentially vulnerability of container framworks.

“One of the security issues of containers is that if one container framework has a vulnerability, that single point of failure affects all the framework users,” explained Eoin Keary, CEO and co-founder of edgescan.

“Developers utilising the framework can’t be blamed, as the issue is foundational across all tenants,” said Keary. “Frameworks are components of an overarching system and, historically, component security is a significant point of weakness when it comes to the potential of a breach via hacking.”

Popular tech

Docker is an increasingly popular technology that began life as a container platform for Linux developers.

But now it allows all types of organisations to run applications, and it isn’t just a technology used by small companies. In fact, most adoptions are apparently by organisations that are monitoring 500 or more server hosts.

But implementing a system like Docker’s container platform can require certain skills, and so Docker is offering Docker EE that aims to remove some of the complexity for corporate implementations.

Essentially Docker EE is a package of tools available out of the box. It is designed to work across any supported Linux, Windows or cloud platforms, such as Microsoft Azure or AWS for example.

Last year Docker released a new version of its Enterprise Edition (Docker EE), which supported IBM Z and Windows Server 2016, and was touted as the first Containers-as-a-Service (CaaS) solution in the market.

How well do you know the cloud? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

1 day ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

2 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

2 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

2 days ago