AttackerKBAKB:D5179D87-2A4D-4212-998B-AD7C7469E731CVE-2019-5021
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user.
Recent assessments:
asoto-r7 at May 14, 2019 6:22pm UTC reported:
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
wvu-r7 at May 14, 2019 8:23pm UTC reported:
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
shuckins-r7 at May 14, 2019 6:23pm UTC reported:
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
J3rryBl4nks at March 10, 2020 2:59pm UTC reported:
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
jrobles-r7 at May 14, 2019 6:27pm UTC reported:
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
References
lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html
www.securityfocus.com/bid/108288
alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021
security.netapp.com/advisory/ntap-20190510-0001
support.f5.com/csp/article/K25551452
talosintelligence.com/vulnerability_reports/TALOS-2019-0782
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C