On the heels of the recent docker hub breach, we’ve got another Docker issue. Null Root Password. Folks, if you’re going to rely on public images and builds for overall system architecture, please please PLEASE consider baking your own hub or scrutinise and sanitise what you’re using.
CVE-2019-5021 outlines a problem that was supposedly resolved in 2015, but an errant patch has brought it back. Good summary by Talos.
Let’s only consider SSH, k?
busyboxas core tools. We have tested and made sure that root logins without password are only allowed from TTYs that are listed as secure in
/etc/securetty. This makes it possible to boot Alpine on a machine and log in as root without shipping any pregenerated, well known password for Alpine. We consider a pregenerated, well known password worse than no password at all.
sshdwill not allow logins with blank passwords at all.
Unfortunately we missed the case when a user installs
linux-paminstead of using the default tools
Official Images on Docker Hub
The Docker Official Images are a curated set of Docker repositories hosted on Docker Hub. They are designed to:
- Provide essential base OS repositories (for example, ubuntu, centos) that serve as the starting point for the majority of users.
- Provide drop-in solutions for popular programming language runtimes, data stores, and other services, similar to what a Platform-as-a-Service (PAAS) would offer.
Dockerfilebest practices and provide clear documentation to serve as a reference for other
- Ensure that security updates are applied in a timely manner. This is particularly important as many Official Images are some of the most popular on Docker Hub.