Another Day another Docker Vulnerability

On the heels of the recent docker hub breach, we’ve got another Docker issue. Null Root Password. Folks, if you’re going to rely on public images and builds for overall system architecture, please please PLEASE consider baking your own hub or scrutinise and sanitise what you’re using.

CVE-2019-5021 outlines a problem that was supposedly resolved in 2015, but an errant patch has brought it back. Good summary by Talos.

Switch back, now, or bake in a script to safety-change the root pass!

Let’s only consider SSH, k?

Alpine uses busybox as core tools. We have tested and made sure that root logins without password are only allowed from TTYs that are listed as secure in /etc/securetty. This makes it possible to boot Alpine on a machine and log in as root without shipping any pregenerated, well known password for Alpine. We consider a pregenerated, well known password worse than no password at all.

Services like sshd will not allow logins with blank passwords at all.

Unfortunately we missed the case when a user installs shadow and linux-pam instead of using the default tools

Official Images on Docker Hub

The Docker Official Images are a curated set of Docker repositories hosted on Docker Hub. They are designed to:

  • Provide essential base OS repositories (for example, ubuntucentos) that serve as the starting point for the majority of users.
  • Provide drop-in solutions for popular programming language runtimes, data stores, and other services, similar to what a Platform-as-a-Service (PAAS) would offer.
  • Exemplify Dockerfile best practices and provide clear documentation to serve as a reference for other Dockerfile authors.
  • Ensure that security updates are applied in a timely manner. This is particularly important as many Official Images are some of the most popular on Docker Hub.

Recent History of this and other Docker Outages