Last Saturday, May 18, Jerry Gamblin from Kenna Security checked
1000 of the most popular images from the Docker Hub on the root password used in them. In 19% of cases, it was empty.
Background with Alpine
The reason for the mini-study was the Talos Vulnerability Report, which appeared earlier this month ( TALOS-2019-0782
), the authors which — thanks to the discovery of Peter Adkins from Cisco Umbrella — reported that the Docker images with the popular distribution for Alpine containers do not have a root password:
“The official versions of Alpine Linux Docker images (since v3.3) contain the NULL password for the root user. This vulnerability resulted from the regression presented in December 2015. Its essence is that systems deployed with problem versions of Alpine Linux in a container and using Linux PAM or another mechanism that uses the system shadow file as a database for authentication can accept a zero (NULL) password for the root user.
The proven versions of the Docker images with Alpine were 3.3-3.9 inclusive, as well as the latest release of the edge.
The authors gave the following recommendation to users affected by the problem:
“The root account must be explicitly disabled in Docker images compiled on the basis of problematic versions of Alpine. The likely exploitation of the vulnerability depends on the environment, since its success requires an outside service or application that uses Linux PAM or another similar mechanism. "
The problem was fixed
in Alpine versions 3.6.5, 3.7.3, 3.8. 4, 3.9.2 and edge (20190228 snapshot), and the owners of the images exposed to it were asked to comment out the line with root in
or make sure that the
package is missing.
Continued with Docker Hub
Jerry Gamblin decided to inquire, "how common the practice of using null passwords in containers can be." To do this, he wrote a small Bash script
, the essence of which is quite simple:
- a Docker Hub requests a list of Docker images hosted there via a curl request;
- via jq, it is sorted by the
popularity field, and the first thousand results remain;
- for each of them,
docker pull ;
- For each image received from Docker Hub, a
docker run is executed with reading the first line from the file
- if the string value turned out to be
root ::: 0 ::::: , the name of the image is saved in a separate file.
What happened? In this file
turned out to be 194 lines with the names of popular Docker images with Linux systems, where the root user does not have a password:
“Among the most well-known names on this list were the govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere. And kylemanna/openvpn is the most popular container from the list, its statistics has more than 10 million pull'ov ".
It should be recalled, however, that this phenomenon in itself does not mean a direct vulnerability in the security of the systems that use them: everything depends on how they are used (see comment from the case of Alpine above)
.However, we have already seen the “morality of this fable” many times: apparent simplicity often has a reverse side, which must always be remembered and the consequences of which should be taken into account in our application scenarios of technology.
Read also in our blog: