CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
84.9%
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root
user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root
user.
Alpine Docker 3.3 Alpine Docker 3.4 Alpine Docker 3.5 Alpine Docker 3.6 Alpine Docker 3.7 Alpine Docker 3.8 Alpine Docker 3.9 Alpine Docker Edge
https://hub.docker.com/_/alpine [https://github.com/gliderlabs/docker-alpine/tree/master/][https://github.com/gliderlabs/docker-alpine/tree/master/]
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-258 - Empty Password in Configuration File
In builds of the Alpine Docker Image (>=3.3) the /etc/shadow
file contains a blank field in place of the encrypted password (sp_pwdp
in the context of the spwd
struct returned by getspent
.
$ for i in seq 1 9
; do echo -n โdate
- Alpine Docker 3.$i - โ; docker run -it alpine:3.$i head -n 1 /etc/shadow ; done Thu 7 Feb 2019 16:15:43 GMT - Alpine Docker 3.1 - root:!::0::::: Thu 7 Feb 2019 16:15:44 GMT - Alpine Docker 3.2 - root:!::0::::: Thu 7 Feb 2019 16:15:46 GMT - Alpine Docker 3.3 - root:::0::::: Thu 7 Feb 2019 16:15:48 GMT - Alpine Docker 3.4 - root:::0::::: Thu 7 Feb 2019 16:15:49 GMT - Alpine Docker 3.5 - root:::0::::: Thu 7 Feb 2019 16:15:51 GMT - Alpine Docker 3.6 - root:::0::::: Thu 7 Feb 2019 16:15:53 GMT - Alpine Docker 3.7 - root:::0::::: Thu 7 Feb 2019 16:15:54 GMT - Alpine Docker 3.8 - root:::0::::: Thu 7 Feb 2019 16:15:56 GMT - Alpine Docker 3.9 - root:::0:::::
The net result of a blank sp_pwdp
field is that the system will treat the root
user as having no password, rather than a โlockedโ account if a !
or *
is explicitly specified.
After discussions with Alpine Linux, it was discovered that this issue was also reported in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.
The root
account should be explicitly disabled in Docker images built using affected versions as a base. The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database.
2019-02-19 - Vendor Disclosure
2019-02-21 - Vendor Acknowledged
2019-03-01 - It was discovered that this issue was also reported and made public in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.
2019-05-08 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
84.9%