19% of the top Docker images don't have a root password

Last Saturday, May 18, Jerry Gamblin of Kenna Security checked The 1000 most popular images from Docker Hub by the password they use for the root user. In 19% of cases it turned out to be empty.

Background with Alpine

The reason for the mini-study was the Talos Vulnerability Report that appeared earlier this month (TALOS-2019-0782), the authors of which - thanks to the discovery of Peter Adkins from Cisco Umbrella - reported that Docker images with the popular Alpine container distribution do not have a root password:

“Official versions of Alpine Linux Docker images (starting from v3.3) contain a NULL password for the root user. This vulnerability appeared as a result of a regression presented in December 2015. Its essence boils down to the fact that systems deployed with problematic versions of Alpine Linux in a container and using Linux PAM or another mechanism that uses the system shadow file as a database for authentication can accept a null (NULL) password for the root user.

The versions of Alpine Docker images tested for the problem were 3.3-3.9 inclusive, as well as the latest release of edge.

The authors made the following recommendation to affected users:

“The root account must be explicitly disabled in Docker images built from problematic versions of Alpine. The likely exploitation of the vulnerability depends on the environment, since its success requires an externally forwarded service or application using Linux PAM or other similar mechanism.

The problem was eliminated in Alpine versions 3.6.5, 3.7.3, 3.8.4, 3.9.2 and edge (20190228 snapshot), and owners of affected images were asked to comment out the line with root in /etc/shadow or make sure there is no package linux-pam.

Continued from Docker Hub

Jerry Gamblin decided to inquire about "how common the practice of using null passwords in containers might be." To do this, he wrote a small bash script, the essence of which is very simple:

• through a curl request to the API in Docker Hub, a list of Docker images hosted there is requested;
• via jq it sorts by field popularity, and from the results obtained, the first thousand remains;
• for each of them, docker pull;
• for each image received from Docker Hub, docker run reading first line from file /etc/shadow;
• if the string value is equal to root:::0:::::, the image name is saved to a separate file.

What happened? IN this file there were 194 lines with the names of popular Docker images with Linux systems, in which the root user does not have a password set:

“Among the most famous names on this list were govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere. And kylemanna/openvpn is the most popular container on the list, with over 10 million pulls.”

However, it is worth recalling that this phenomenon in itself does not mean a direct vulnerability in the security of the systems that use them: it all depends on how exactly they are used. (see comment from Alpine case above). However, we have already seen the “moral of this story” many times: apparent simplicity often has a downside, which you should always remember and take into account the consequences of which in your scenarios for using technology.

PS

Read also on our blog:

• «Statistics on base operating systems in images on Docker Hub";
• «Docker and Kubernetes in security-demanding environments";
• «Vulnerability CVE-2019-5736 in runc, allowing to gain root rights on the host";
• «Vulnerable Docker VM - a puzzle virtual machine for Docker and pentesting».

Source: habr.com