Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability

Summary

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.

Tested Versions

Alpine Docker 3.3 Alpine Docker 3.4 Alpine Docker 3.5 Alpine Docker 3.6 Alpine Docker 3.7 Alpine Docker 3.8 Alpine Docker 3.9 Alpine Docker Edge

Product URLs

https://hub.docker.com/_/alpine [https://github.com/gliderlabs/docker-alpine/tree/master/][https://github.com/gliderlabs/docker-alpine/tree/master/]

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-258 - Empty Password in Configuration File

Details

In builds of the Alpine Docker Image (>=3.3) the /etc/shadow file contains a blank field in place of the encrypted password (sp_pwdp in the context of the spwd struct returned by getspent.

$ for i in seq 1 9; do echo -n “date - Alpine Docker 3.$i - “; docker run -it alpine:3.$i head -n 1 /etc/shadow ; done Thu 7 Feb 2019 16:15:43 GMT - Alpine Docker 3.1 - root:!::0::::: Thu 7 Feb 2019 16:15:44 GMT - Alpine Docker 3.2 - root:!::0::::: Thu 7 Feb 2019 16:15:46 GMT - Alpine Docker 3.3 - root:::0::::: Thu 7 Feb 2019 16:15:48 GMT - Alpine Docker 3.4 - root:::0::::: Thu 7 Feb 2019 16:15:49 GMT - Alpine Docker 3.5 - root:::0::::: Thu 7 Feb 2019 16:15:51 GMT - Alpine Docker 3.6 - root:::0::::: Thu 7 Feb 2019 16:15:53 GMT - Alpine Docker 3.7 - root:::0::::: Thu 7 Feb 2019 16:15:54 GMT - Alpine Docker 3.8 - root:::0::::: Thu 7 Feb 2019 16:15:56 GMT - Alpine Docker 3.9 - root:::0:::::

The net result of a blank sp_pwdp field is that the system will treat the root user as having no password, rather than a ‘locked’ account if a ! or * is explicitly specified.

1. This vulnerability was originally reported and patched in 2015, regression tests were added to prevent this from occurring in the future.
   * <https://github.com/gliderlabs/docker-alpine/commit/8b9abf92b9960b7153b93268580099f34ef20f69&gt;
2. Unfortunately, later that same year, a commit was pushed to simplify the regression tests. This lead to logic that may have caught this regression being simplified, causing these tests to be incorrectly ‘satisfied’ if the root password was once again removed.
   * <https://github.com/gliderlabs/docker-alpine/commit/9762ff4cead1e31ea283a93095a0c9bbe265d943&gt;
3. Eight days after this vulnerability was initially fixed, a commit was pushed which removed this ‘disable root by default’ flag from the ‘edge’ build properties file, reintroducing this issue to subsequent builds.
   * [https://github.com/gliderlabs/docker-alpine/commit/ab4337c595383afa0f792ff01d3f99bc6667c3a8#diff-fc53135be554a2608c163978ed2f710b]
4. Since this time, the default build options appears to have been copied from this properties file, leading to this flag being missing from all tagged builds since December 2015 (>= 3.3).

After discussions with Alpine Linux, it was discovered that this issue was also reported in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.

Mitigation

The root account should be explicitly disabled in Docker images built using affected versions as a base. The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database.

Timeline

2019-02-19 - Vendor Disclosure
2019-02-21 - Vendor Acknowledged
2019-03-01 - It was discovered that this issue was also reported and made public in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.
2019-05-08 - Public Release