results from testing tools to identify unpatched vulnerabilities and identify security issues in isolated Docker container images. The audit showed that 4 out of 6 known Docker image scanners had critical vulnerabilities that allowed them to directly attack the scanner itself and achieve the execution of their code in the system, in some cases (for example, when using Snyk) with root rights.
To attack, it is enough for an attacker to initiate a check of their Dockerfile or manifest.json, which includes specially designed metadata, or to place Podfile and gradlew files inside the image. Exploit prototypes for systems
, ,
ΠΈ
. The package showed the best security , originally written with security in mind. No problems were found in the package either. . As a result, it was concluded that Docker container scanners should be run in isolated environments or used only to check their own images, and care should be taken when connecting such tools to automated continuous integration systems.
In FOSSA, Snyk and WhiteSource, the vulnerability was associated with a call to an external package manager to determine dependencies and allowed you to organize the execution of your code by specifying touch and system commands in files ΠΈ .
Snyk and WhiteSource additionally had , with the organization of launching system commands when parsing a Dockerfile (for example, in Snyk through Dockefile it was possible to replace the /bin/ls utility called by the scanner, and in WhiteSurce it was possible to substitute code through arguments in the form "echo ';touch /tmp/hacked_whitesource_pip;=1.0 '").
The Anchore Vulnerability using the utility to work with docker images. The operation consisted of adding parameters of the form '"os": "$(touch hacked_anchore)"' to the manifest.json file, which are substituted when calling skopeo without proper escaping (only the characters ";&<>" were cut out, but the construction "$( )").
The same author conducted a study on the effectiveness of detecting unpatched vulnerabilities by docker container security scanners and the level of false positives (, , ). The results of testing 73 images containing known vulnerabilities are shown below, as well as an assessment of the effectiveness of determining the presence of typical applications in images (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru