Search...

openSUSE Security Update : system-user-root (openSUSE-2019-1495)

2019-06-05T00:00:00

ID OPENSUSE-2019-1495.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-06-05T00:00:00

Description

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues :

CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update was imported from the SUSE:SLE-15:Update update project.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2019-1495.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(125718);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/23");

  script_cve_id("CVE-2019-5021");

  script_name(english:"openSUSE Security Update : system-user-root (openSUSE-2019-1495)");
  script_summary(english:"Check for the openSUSE-2019-1495 patch");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description",
    value:
"This update for sles12sp3-docker-image, sles12sp4-image,
system-user-root fixes the following issues :

  - CVE-2019-5021: Include an invalidated root password by
    default, not an empty one (bsc#1134524)

This update was imported from the SUSE:SLE-15:Update update project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1134524"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Update the affected system-user-root package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:system-user-root");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE15.1", reference:"system-user-root-20190513-lp151.3.3.1") ) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "system-user-root");
}

JSON Vulners Source

Initial Source

{"id": "OPENSUSE-2019-1495.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : system-user-root (openSUSE-2019-1495)", "description": "This update for sles12sp3-docker-image, sles12sp4-image,\nsystem-user-root fixes the following issues :\n\n - CVE-2019-5021: Include an invalidated root password by\n default, not an empty one (bsc#1134524)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "published": "2019-06-05T00:00:00", "modified": "2019-06-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/125718", "reporter": "This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1134524"], "cvelist": ["CVE-2019-5021"], "type": "nessus", "lastseen": "2020-09-24T09:05:46", "edition": 14, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D5179D87-2A4D-4212-998B-AD7C7469E731"]}, {"type": "cve", "idList": ["CVE-2019-5021"]}, {"type": "f5", "idList": ["F5:K25551452"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0CB6B288E6AAF7D05FA3A2134FAFE3BD", "QUALYSBLOG:F266AF4E1B844432A13D20C10EEA9875"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852540", "OPENVAS:1361412562310108587", "OPENVAS:1361412562310108586"]}, {"type": "threatpost", "idList": ["THREATPOST:93217A92463A2EE382C00DE3E85DD559"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1495-1"]}, {"type": "talos", "idList": ["TALOS-2019-0782"]}, {"type": "nessus", "idList": ["ACCOUNT_ROOT.NASL"]}], "modified": "2020-09-24T09:05:46", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-09-24T09:05:46", "rev": 2}, "vulnersScore": 6.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1495.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125718);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2019-5021\");\n\n script_name(english:\"openSUSE Security Update : system-user-root (openSUSE-2019-1495)\");\n script_summary(english:\"Check for the openSUSE-2019-1495 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for sles12sp3-docker-image, sles12sp4-image,\nsystem-user-root fixes the following issues :\n\n - CVE-2019-5021: Include an invalidated root password by\n default, not an empty one (bsc#1134524)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1134524\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected system-user-root package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:system-user-root\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"system-user-root-20190513-lp151.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"system-user-root\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "125718", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:system-user-root"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2020-10-03T13:38:54", "description": "Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-08T17:29:00", "title": "CVE-2019-5021", "type": "cve", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5021"], "modified": "2019-06-03T12:29:00", "cpe": ["cpe:/a:gliderlabs:docker-alpine:*"], "id": "CVE-2019-5021", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:gliderlabs:docker-alpine:*:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:39:25", "bulletinFamily": "info", "cvelist": ["CVE-2019-5021"], "description": "Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.\n\n \n**Recent assessments:** \n \n**asoto-r7** at May 14, 2019 6:22pm UTC reported:\n\nAlpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs `shadow` or `linux-pam`. This docker image is used as a base for many custom-built docker containers and often-distributed images.\n\nOlder and unsupported containers can be mitigated by:\n \n \n # make sure root login is disabled\n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n \n\nAlternatively you could make sure that you don\u2019t have linux-pam installed.\n\nWhat common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: [https://hub.docker.com/search?q=alpine&type=image](<https://hub.docker.com/search?q=alpine&type=image>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 5**wvu-r7** at May 14, 2019 8:23pm UTC reported:\n\nAlpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs `shadow` or `linux-pam`. This docker image is used as a base for many custom-built docker containers and often-distributed images.\n\nOlder and unsupported containers can be mitigated by:\n \n \n # make sure root login is disabled\n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n \n\nAlternatively you could make sure that you don\u2019t have linux-pam installed.\n\nWhat common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: [https://hub.docker.com/search?q=alpine&type=image](<https://hub.docker.com/search?q=alpine&type=image>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 5**shuckins-r7** at May 14, 2019 6:23pm UTC reported:\n\nAlpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs `shadow` or `linux-pam`. This docker image is used as a base for many custom-built docker containers and often-distributed images.\n\nOlder and unsupported containers can be mitigated by:\n \n \n # make sure root login is disabled\n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n \n\nAlternatively you could make sure that you don\u2019t have linux-pam installed.\n\nWhat common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: [https://hub.docker.com/search?q=alpine&type=image](<https://hub.docker.com/search?q=alpine&type=image>)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 2**J3rryBl4nks** at March 10, 2020 2:59pm UTC reported:\n\nAlpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs `shadow` or `linux-pam`. This docker image is used as a base for many custom-built docker containers and often-distributed images.\n\nOlder and unsupported containers can be mitigated by:\n \n \n # make sure root login is disabled\n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n \n\nAlternatively you could make sure that you don\u2019t have linux-pam installed.\n\nWhat common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: [https://hub.docker.com/search?q=alpine&type=image](<https://hub.docker.com/search?q=alpine&type=image>)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 5**jrobles-r7** at May 14, 2019 6:27pm UTC reported:\n\nAlpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs `shadow` or `linux-pam`. This docker image is used as a base for many custom-built docker containers and often-distributed images.\n\nOlder and unsupported containers can be mitigated by:\n \n \n # make sure root login is disabled\n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n \n\nAlternatively you could make sure that you don\u2019t have linux-pam installed.\n\nWhat common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: [https://hub.docker.com/search?q=alpine&type=image](<https://hub.docker.com/search?q=alpine&type=image>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3\n", "modified": "2020-09-02T00:00:00", "published": "2019-05-08T00:00:00", "id": "AKB:D5179D87-2A4D-4212-998B-AD7C7469E731", "href": "https://attackerkb.com/topics/dMz2OtHkQQ/cve-2019-5021", "type": "attackerkb", "title": "CVE-2019-5021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:08", "bulletinFamily": "software", "cvelist": ["CVE-2019-5021"], "description": "\nF5 Product Development has assigned ID CONTCNTR-669 (BIG-IP Controller for Cloud Foundry) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP Controller for Cloud Foundry (cf-bigip-ctlr) | 1.x | 1.2.1 | None | Critical | [9.8](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) | Alpine Linux container \nF5 IPAM Controller (f5-ipam-ctlr) | 0.x | None | Not applicable | Not vulnerable | None | None \nBIG-IP Controller for Kubernetes (k8s-bigip-ctlr) | 1.x | None | Not applicable | Not vulnerable | None | None \nBIG-IP Controller for Marathon (marathon-bigip-ctlr) | 1.x | None | Not applicable | Not vulnerable | None | None \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 15.x | None | Not applicable | Not vulnerable | None | None \n14.x | None | Not applicable \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 6.x | None | Not applicable | Not vulnerable | None | None \n5.x | None | Not applicable \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [F5 Networks Docker Hub page](<https://hub.docker.com/u/f5networks>) \n**Note**: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.\n * [F5 Cloud Docs](<https://clouddocs.f5.com/>)\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-24T23:46:00", "published": "2019-06-24T23:46:00", "id": "F5:K25551452", "href": "https://support.f5.com/csp/article/K25551452", "title": "Alpine Linux Docker image vulnerability CVE-2019-5021", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-06-11T16:20:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5021"], "description": "A vulnerability affecting the official [Alpine Docker](<https://github.com/alpinelinux/docker-alpine>) images version >=3.3 contains a null password for the root user. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.\n\n### Remediation\n\nIf you are using an older, unsupported releases, then you can fix it by adding this line to your Docker file:\n \n \n # CVE-2019-5021 disable root login \n RUN sed -i -e 's/^root::/root:!:/' /etc/shadow\n\nYou can also remove linux-pam if it is installed.\n\n### Detecting CVE-2019-5021 (QID 371776)\n\nThis particular vulnerability has been tracked as [CVE-2019-5021](<https://nvd.nist.gov/vuln/detail/CVE-2019-5021>). You can also find the official Alpine announcement at [Alpine-CVE-2019-5021](<https://www.alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html>).\n\nQualys has released a special **QID 371776** for [Qualys Container Security](<https://www.qualys.com/apps/container-security/>) to detect this vulnerability, and Qualys customers can use Qualys Container Security to detect this vulnerability at various stages of the Docker image lifecycle.\n\n### Detecting CVE-2019-5021 QID 371776 in your CI/CD Pipeline\n\nIf you are using Jenkins or Bamboo as your build tool, you can use the Qualys plugin to detect this vulnerability during your build process, and you could fail the build and then review the Qualys report to identify issues and remediation available on validation.\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f1-1-600x336.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f1-1.png>)\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f2-1-600x292.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f2-1.png>)\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f3-1-600x238.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f3-1.png>)\n\n### Detecting CVE-2019-5021 QID 371776 on your Docker Host\n\nYou can search for the QID or CVE to get a list of all the images and container affected by this :\n\n * vulnerabilities.qid:371776\n * vulnerabilities.cveids:CVE-2019-5021\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f4-1-600x333.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f4-1.png>)\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f5-1-600x330.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f5-1.png>)\n\nQualys customers can use a Container Security dashboard to track this vulnerability across your images and containers.\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/06/f6-1-600x360.png)](<https://blog.qualys.com/wp-content/uploads/2019/06/f6-1.png>)\n\n### Resources\n\n * Refer to the [Qualys Container Security User Guide](<https://www.qualys.com/docs/qualys-container-security-user-guide.pdf>) for registry scanning and runtime protection.\n * Discuss with your peers at [Qualys Community](<https://community.qualys.com/community/cloud-security>).\n\nDon't have [Qualys Container Security](<https://www.qualys.com/apps/container-security/>)? Contact your Technical Account Manager to get a free trial, or [sign up online](<https://www.qualys.com/free-trial/>).", "modified": "2019-06-11T15:00:51", "published": "2019-06-11T15:00:51", "id": "QUALYSBLOG:0CB6B288E6AAF7D05FA3A2134FAFE3BD", "href": "https://blog.qualys.com/technology/2019/06/11/alpine-docker-image-vulnerability-cve-2019-5021-how-to-detect-and-fix", "type": "qualysblog", "title": "Alpine Docker Image Vulnerability (CVE-2019-5021): How to Detect and Fix", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-17T17:31:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5021"], "description": "This week saw news of [self-propagating worms](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>) in the container landscape to perform unsanctioned computation tasks such as cryptojacking. This blog post is intended for Qualys customers and partners to understand how such container attacks work, provide security best practice recommendations & walkthrough related Qualys product portfolio functionality.\n\n### Background\n\nContainers usage is mainstream today and enterprises are leveraging containers for their workload deployments across a number of different types of private and public cloud infrastructure. This has been driven mainly by development, devops teams for reasons relating to development velocity & infrastructure utilization/efficiency.\n\nAs with any new technology, the security conversations often lag technology adoption. Containers are no different. Best intentions of developers, devops teams not withstanding it does require a well thought out security strategy to think through the attack surface for containers and put in place a security program/tooling to address related risks.\n\n### What's New?\n\nQualys threat research has been tracking developments ([1](<https://blog.qualys.com/technology/2019/06/11/alpine-docker-image-vulnerability-cve-2019-5021-how-to-detect-and-fix#more-25460>), [2](<https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability#more-25277>), [3](<https://blog.qualys.com/securitylabs/2018/12/17/new-frontiers-in-cryptojacking#more-25170>), [4](<https://blog.qualys.com/news/2019/01/09/container-security-becomes-a-priority-for-enterprises#more-25196>)) in the container threat landscape given the widespread usage of containers and the risks the container attack surface poses to enterprises. This year saw new frontiers in the container threat landscape with attacks on the ecosystem ([Docker Hub breach](<https://success.docker.com/article/docker-hub-user-notification>), [DockerHub Malware](<https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers>)).\n\nThis week saw news of [self-propagating worms](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>) in the container landscape to perform unsanctioned computation tasks such as Cryptojacking. When [Cryptomining](<https://www.google.com/search?sxsrf=ACYBGNSz9LRBGplQ4rL2XRSJqGXtSnFAMg%3A1571259442766&source=hp&ei=MoSnXb7XK5a_0PEPmr26-Ao&q=cryptomining&oq=cryptomining&gs_l=psy-ab.3..0l3j0i10l7.68.3465..3649...0.0..0.136.1544.4j11......0....1..gws-wiz.......0i131.PE_myq97DV4&ved=0ahUKEwi-uLvH1aHlAhWWHzQIHZqeDq8Q4dUDCAg&uact=5>) is done without authorization it is referred to as Cryptojacking. While the security implications are alarming, in elastic public cloud environments these incidents have [financial implications](<https://www.reddit.com/r/aws/comments/8oi34d/cloud_computing_sticker_shock_is_now_a_monthly/>) as well.\n\n### How Do These New Container Threats Work?\n\nAt a high level, attackers find a weak point in the container pipeline and introduce the malicious code into a container image. Some examples include:\n\n 1. Compromising a container host via a vulnerability and introducing containers with malicious code. The most recent incidents have leveraged insecure container engines as the attack point. ([Don't expose the docker socket](<https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html>) in an insecure manner. Secure it). \n * Without any authentication or authorization, a malicious actor can take full control of the Docker Engine (CE) and the host. The attacker leverages this entry point to deploy and spread the worm.\n 2. Supply chain attacks by introducing malicious container images in the container pipeline (e.g. Container Registry, Container Repository)\n 3. Compromising a running container and introducing malicious code\n\n### Qualys Security Best Practice Recommendations\n\nQualys recommends the following security best practices for customers with concerns around these latest types of container attacks.\n\n 1. Secure your container hosts in the scope of a vulnerability management and an EDR program. Qualys [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>), [Indication of Compromise](<https://www.qualys.com/apps/indication-of-compromise/>), [Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and [File Integrity Monitoring](<https://www.qualys.com/apps/file-integrity-monitoring/>) are products that address these use cases.\n 2. Include your container hosts in scope of a compliance program to check for misconfigurations around open Docker hosts, etc. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has a number of controls in place to address such use cases, e.g. CIS Benchmarks for Docker\n 3. Shift left with a comprehensive DevSecOps container security program. Qualys [Container Security](<https://www.qualys.com/apps/container-security/>) addresses use cases for container security across the container pipeline. In particular Qualys CS provides comprehensive inventory of containers via various sensors (Qualys Cloud Agent, Qualys Network Scanner, Qualys Container Sensor) and provides for security assessment of containers (Vulnerability scanning) and runtime protection (Dynamic hardening of containers).\n\n### Qualys Product Walkthrough for Use Cases Related to this Attack Scenario\n\n 1. [**Qualys Global IT Asset Inventory**](<https://www.qualys.com/apps/asset-inventory/>) - Utilize Qualys's free offering to get visibility into container hosts, container images and running containers. (Via Qualys Network Scanner, Qualys Cloud Agent). [![Qualys Global IT Asset Inventory](https://blog.qualys.com/wp-content/uploads/2019/10/GlobalAI-e1571277214988-300x282.png)](<https://blog.qualys.com/wp-content/uploads/2019/10/GlobalAI-e1571277214988.png>)\n 2. [**Qualys Policy Compliance**](<https://www.qualys.com/apps/policy-compliance/>) - Obtain compliance posture of container deployments. Specific controls available to customers include [CIS Docker benchmarks](<https://discussions.qualys.com/docs/DOC-6039-scanning-docker-with-qualys-policy-compliance>). Some specific examples below \n * Controls available to check for security configuration posture of the Docker Daemon (Docker Socket) \n * Status of the TLS key file ('tlskey' flag) set for the Docker daemon on the host system (Control ID 10765 , Signature 810014)\n * Status of the TLS certificate file ('tlscert' flag) set for the Docker daemon on the host system (Control ID 10766, Signature 810015)\n * Status of the TLS CA certificate file ('tlscacert' flag) set for the Docker daemon on the host system (Control ID 10767 , Signature 810016)\n * Status of the TLS authentication ('tlsverify' flag) set for the Docker daemon on the host system (Control ID 10768, Signature 810017)\n * For customers using an authorization plugin for the docker daemon, Qualys Policy compliance has the following controls \n * Status of the use of authorization plug-in for the Docker daemon on the host system (Control ID 10772, Signature 810022)\n 3. [**Qualys Vulnerability Management**](<https://www.qualys.com/apps/vulnerability-management/>) - Utilize to obtain vulnerability posture of container hosts. Following is a list of detections Qualys has in place to detect vulnerabilities, compromised container images (Current, Coming shortly) \n * QID 13490 : Docker Host with Unprotected REST API Detected\n * QID 371020 : Backdoored Cryptomining Docker Image Detected\n * QID 1050: Cryptojacking Worm: Graboid (Coming shortly)[![Vulnerability Management dashboard](https://blog.qualys.com/wp-content/uploads/2019/10/MicrosoftTeams-image-300x214.png)](<https://blog.qualys.com/wp-content/uploads/2019/10/MicrosoftTeams-image.png>)\n 4. [**Qualys Container Security**](<https://www.qualys.com/apps/container-security/>) - Utilize to obtain enhanced inventory, security posture of container images, running containers across the container pipeline (CICD build scanning, Registry scanning, Running container scanning). This requires installing the Qualys container sensor on the docker host. Qualys recommends the following security workflows as part of a container security program to proactively detect exposure to such threats, detect compromised containers and remediate accordingly.\n * * Obtain container inventory via your existing Qualys deployments (Network Scanner, Cloud Agent). Install Qualys Container Security Sensor to obtain enhanced visibility, security posture.\n * Detect container drift from underlying container image (Drift by vulnerabilities, Drift by software packages). These could stem from malicious behaviors from compromised containers.\n\n[![](https://blog.qualys.com/wp-content/uploads/2019/10/CSDashboard-e1571277746129-300x281.png)](<https://blog.qualys.com/wp-content/uploads/2019/10/CSDashboard-e1571277746129.png>)\n\n * * Detect unknown images (potentially malicious) via a flexible QQL query in Qualys Container Security \n 1. Look for images which are not from specific registries: _not(repo.registry:`docker.io`)_\n 2. Look for images which are not scanned in CICD pipeline and/or the registry: _not source:[CICD, REGISTRY]_\n 3. Utilize Qualys Container runtime security from our [layered insight acquisition](<https://www.qualys.com/company/newsroom/news-releases/uk/qualys-acquires-container-native-security-company-layered-insight/>). More specifically this offering is a function-level firewall that allows customers to block granular behaviors (e.g. httpd spawning a shell) and thus harden containers against attacks leveraging vulnerabilities (e.g. [Runc](<https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability#more-25277>) vulnerability). This is integrated into the Qualys platform and is going to be available shortly to customers as part of an early preview\n\nAs someone once [supposedly](<https://en.wikiquote.org/wiki/Talk:History>) said, \"History doesn't repeat, it rhymes\". Et Tu Containers? Time for folks to update this wikipedia [page](<https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms>) here with the latest in the worm threat landscape.\n\nFor existing customers, please contact your Technical Account Manager to set up a free trial for any of the Qualys cloud apps mentioned above.", "modified": "2019-10-17T14:00:43", "published": "2019-10-17T14:00:43", "id": "QUALYSBLOG:F266AF4E1B844432A13D20C10EEA9875", "href": "https://blog.qualys.com/news/2019/10/17/graboid-revenge-of-the-worms", "type": "qualysblog", "title": "Graboid: Revenge of the Worms", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2019-06-03T14:41:42", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5021"], "description": "This update for sles12sp3-docker-image, sles12sp4-image, system-user-root\n fixes the following issues:\n\n - CVE-2019-5021: Include an invalidated root password by default, not an\n empty one (bsc#1134524)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-06-03T12:13:26", "published": "2019-06-03T12:13:26", "id": "OPENSUSE-SU-2019:1495-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html", "title": "Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-31T16:48:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5021"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-06-04T00:00:00", "id": "OPENVAS:1361412562310852540", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852540", "type": "openvas", "title": "openSUSE: Security Advisory for Recommended (openSUSE-SU-2019:1495-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852540\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-5021\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-04 02:01:14 +0000 (Tue, 04 Jun 2019)\");\n script_name(\"openSUSE: Security Advisory for Recommended (openSUSE-SU-2019:1495-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1495-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Recommended'\n package(s) announced via the openSUSE-SU-2019:1495-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for sles12sp3-docker-image, sles12sp4-image, system-user-root\n fixes the following issues:\n\n - CVE-2019-5021: Include an invalidated root password by default, not an\n empty one (bsc#1134524)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1495=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1495=1\");\n\n script_tag(name:\"affected\", value:\"'Recommended' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"system-user-root\", rpm:\"system-user-root~20190513~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-24T17:04:07", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502", "CVE-2019-5021"], "description": "The remote host has set no password for the root account.", "modified": "2020-03-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "OPENVAS:1361412562310108586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108586", "type": "openvas", "title": "Unpassworded 'root' Account (Telnet)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108586\");\n script_version(\"2020-03-24T06:41:42+0000\");\n script_cve_id(\"CVE-2019-5021\", \"CVE-1999-0502\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 06:41:42 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-05-24 12:35:09 +0000 (Fri, 24 May 2019)\");\n script_name(\"Unpassworded 'root' Account (Telnet)\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"os_detection.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_require_keys(\"Host/runs_unixoide\");\n script_mandatory_keys(\"telnet/banner/available\");\n script_exclude_keys(\"telnet/no_login_banner\", \"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782\");\n script_xref(name:\"URL\", value:\"https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html\");\n\n script_tag(name:\"summary\", value:\"The remote host has set no password for the root account.\");\n\n script_tag(name:\"impact\", value:\"This issue may be exploited by a remote attacker to gain access to\n sensitive information or modify system configuration.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to login with a 'root' username and without a password.\");\n\n script_tag(name:\"insight\", value:\"It was possible to login with the 'root' username and without passing\n a password.\");\n\n script_tag(name:\"affected\", value:\"Versions of the Official Alpine Linux Docker images (since v3.3) are\n known to be affected. Other products / devices might be affected as well.\");\n\n script_tag(name:\"solution\", value:\"Set a password for the 'root' account. If this is an Alpine Linux Docker image\n update to one of the following image releases:\n\n edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, v3.6.5.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"default_account.inc\");\ninclude(\"misc_func.inc\");\n\nport = telnet_get_port( default:23 );\nif( get_kb_item( \"telnet/\" + port + \"/no_login_banner\" ) )\n exit( 0 );\n\nif( _check_telnet( port:port, login:\"root\" ) ) {\n report = \"It was possible to login as user 'root' without a password and to execute the 'id' command.\";\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-26T13:21:30", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502", "CVE-2019-5021"], "description": "The remote host has set no password for the root account.", "modified": "2020-04-22T00:00:00", "published": "2019-05-24T00:00:00", "id": "OPENVAS:1361412562310108587", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108587", "type": "openvas", "title": "Unpassworded 'root' Account (SSH)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108587\");\n script_version(\"2020-04-22T14:19:41+0000\");\n script_cve_id(\"CVE-2019-5021\", \"CVE-1999-0502\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-22 14:19:41 +0000 (Wed, 22 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-05-24 12:35:09 +0000 (Fri, 24 May 2019)\");\n script_name(\"Unpassworded 'root' Account (SSH)\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"ssh_detect.nasl\", \"os_detection.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_require_keys(\"Host/runs_unixoide\");\n script_mandatory_keys(\"ssh/server_banner/available\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782\");\n script_xref(name:\"URL\", value:\"https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html\");\n\n script_tag(name:\"summary\", value:\"The remote host has set no password for the root account.\");\n\n script_tag(name:\"impact\", value:\"This issue may be exploited by a remote attacker to gain access to\n sensitive information or modify system configuration.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to login with a 'root' username and without a password.\");\n\n script_tag(name:\"insight\", value:\"It was possible to login with the 'root' username and without passing\n a password.\");\n\n script_tag(name:\"affected\", value:\"Versions of the Official Alpine Linux Docker images (since v3.3) are\n known to be affected. Other products / devices might be affected as well.\");\n\n script_tag(name:\"solution\", value:\"Set a password for the 'root' account. If this is an Alpine Linux Docker image\n update to one of the following image releases:\n\n edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, v3.6.5.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"host_details.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port( default:22 );\nif( ! soc = open_sock_tcp( port ) )\n exit( 0 );\n\nlogin = ssh_login( socket:soc, login:\"root\", password:\"\", priv:NULL, passphrase:NULL );\nif( login == 0 ) {\n\n files = traversal_files( \"linux\" );\n\n foreach pattern( keys( files ) ) {\n\n file = \"/\" + files[pattern];\n\n cmd = ssh_cmd( socket:soc, cmd:'cat ' + file, nosh:TRUE );\n\n if( egrep( string:cmd, pattern:pattern, icase:TRUE ) ) {\n if( soc )\n close( soc );\n report = 'It was possible to login as user `root` without a password and to execute `cat ' + file + '`. Result:\\n\\n' + cmd;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nif( soc )\n close( soc );\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-11T11:47:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-5021"], "description": "For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.\n\nAffected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to [Cisco Talos researchers who discovered the bug, ](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782>) tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers were available via the official Docker Hub portal since late 2015.\n\n\u201cThis vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user,\u201d according to the [Common Vulnerabilities and Exposures description](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021>).\n\nThe \u201cempty password in configuration file\u201d bug ([CVE-2019-5021](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021>)) has a critical CVSS rating of 9.8.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability dates back to 2015 when it was originally identified and patched. However, weeks after a fix was deployed, further \u201cregression\u201d tests associated with the bug were conducted. Unfortunately, those tests inadvertently \u201cremoved this \u2018disable root by default\u2019 flag from the \u2018edge\u2019 build properties file, reintroducing this issue to subsequent builds,\u201d Cisco Talos researchers wrote.\n\nThe Cisco Talos team publicly revealed its research on Wednesday, disclosed it privately to stakeholders in February. \u201cIt was discovered that this issue was also reported and made public in their [Github](<https://github.com/gliderlabs/docker-alpine/issues/430>) prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco,\u201d researchers wrote.\n\nThe impact of the bug may be limited, according to some users chiming in on GitHub. One such user, Tianon Gravi, pointed out: \u201cNo currently supported Alpine images are affected (all affected images are [end of life]), the attack vector is very narrow to begin with, and there are a couple other images we\u2019re looking to fix (and updating our test to catch this more aggressively).\u201d\n\nPeter Adkins of Cisco Umbrella is credited for finding the bug.\n\nMitigation includes disabling the Docker images built using the affected versions as a base, Cisco Talos said. \u201cThe likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database,\u201d researchers said.\n", "modified": "2019-05-09T17:06:14", "published": "2019-05-09T17:06:14", "id": "THREATPOST:93217A92463A2EE382C00DE3E85DD559", "href": "https://threatpost.com/alpine-linux-docker-images-unlocked/144542/", "type": "threatpost", "title": "Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talos": [{"lastseen": "2020-07-01T21:25:22", "bulletinFamily": "info", "cvelist": ["CVE-2019-5021"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0782\n\n## Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability\n\n##### May 8, 2019\n\n##### CVE Number\n\nCVE-2019-5021 \n\n### Summary\n\nVersions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.\n\n### Tested Versions\n\nAlpine Docker 3.3 Alpine Docker 3.4 Alpine Docker 3.5 Alpine Docker 3.6 Alpine Docker 3.7 Alpine Docker 3.8 Alpine Docker 3.9 Alpine Docker Edge\n\n### Product URLs\n\n[https://hub.docker.com/_/alpine](https://hub.docker.com/_/alpine) [https://github.com/gliderlabs/docker-alpine/tree/master/][https://github.com/gliderlabs/docker-alpine/tree/master/]\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-258 - Empty Password in Configuration File\n\n### Details\n\nIn builds of the Alpine Docker Image (>=3.3) the `/etc/shadow` file contains a blank field in place of the encrypted password (`sp_pwdp` in the context of the `spwd` struct returned by `getspent`.\n\n$ for i in `seq 1 9`; do echo -n \u201c`date` \\- Alpine Docker 3.$i - \u201c; docker run -it alpine:3.$i head -n 1 /etc/shadow ; done Thu 7 Feb 2019 16:15:43 GMT - Alpine Docker 3.1 - root:!::0::::: Thu 7 Feb 2019 16:15:44 GMT - Alpine Docker 3.2 - root:!::0::::: Thu 7 Feb 2019 16:15:46 GMT - Alpine Docker 3.3 - root:::0::::: Thu 7 Feb 2019 16:15:48 GMT - Alpine Docker 3.4 - root:::0::::: Thu 7 Feb 2019 16:15:49 GMT - Alpine Docker 3.5 - root:::0::::: Thu 7 Feb 2019 16:15:51 GMT - Alpine Docker 3.6 - root:::0::::: Thu 7 Feb 2019 16:15:53 GMT - Alpine Docker 3.7 - root:::0::::: Thu 7 Feb 2019 16:15:54 GMT - Alpine Docker 3.8 - root:::0::::: Thu 7 Feb 2019 16:15:56 GMT - Alpine Docker 3.9 - root:::0:::::\n\nThe net result of a blank `sp_pwdp` field is that the system will treat the `root` user as having no password, rather than a \u2018locked\u2019 account if a `!` or `*` is explicitly specified.\n\n 1. This vulnerability was originally reported and patched in 2015, regression tests were added to prevent this from occurring in the future. \n * <https://github.com/gliderlabs/docker-alpine/commit/8b9abf92b9960b7153b93268580099f34ef20f69>\n 2. Unfortunately, later that same year, a commit was pushed to simplify the regression tests. This lead to logic that may have caught this regression being simplified, causing these tests to be incorrectly \u2018satisfied\u2019 if the root password was once again removed. \n * <https://github.com/gliderlabs/docker-alpine/commit/9762ff4cead1e31ea283a93095a0c9bbe265d943>\n 3. Eight days after this vulnerability was initially fixed, a commit was pushed which removed this \u2018disable root by default\u2019 flag from the \u2018edge\u2019 build properties file, reintroducing this issue to subsequent builds. \n * [https://github.com/gliderlabs/docker-alpine/commit/ab4337c595383afa0f792ff01d3f99bc6667c3a8#diff-fc53135be554a2608c163978ed2f710b]\n 4. Since this time, the default build options appears to have been copied from this properties file, leading to this flag being missing from all tagged builds since December 2015 (>= 3.3).\n\nAfter discussions with Alpine Linux, it was discovered that this issue was also reported in their [Github](<https://github.com/gliderlabs/docker-alpine/issues/430>) prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.\n\n### Mitigation\n\nThe `root` account should be explicitly disabled in Docker images built using affected versions as a base. The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database.\n\n### Timeline\n\n2019-02-19 - Vendor Disclosure \n2019-02-21 - Vendor Acknowledged \n2019-03-01 - It was discovered that this issue was also reported and made public in their [Github](<https://github.com/gliderlabs/docker-alpine/issues/430>) prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco. \n2019-05-08 - Public Release\n\n##### Credit\n\nDiscovered by Peter Adkins of Cisco Umbrella.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0777\n\nPrevious Report\n\nTALOS-2019-0772\n", "edition": 5, "modified": "2019-05-08T00:00:00", "published": "2019-05-08T00:00:00", "id": "TALOS-2019-0782", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0782", "title": "Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T01:12:58", "description": "The account 'root' has no password set.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2003-02-20T00:00:00", "title": "Unpassworded 'root' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502", "CVE-2019-5021"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT.NASL", "href": "https://www.tenable.com/plugins/nessus/11245", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11245);\n script_version (\"1.31\");\n script_cvs_date(\"Date: 2019/05/08 17:05:59\");\n\n script_cve_id(\"CVE-1999-0502\", \"CVE-2019-5021\");\n\n script_name(english:\"Unpassworded 'root' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with no password set.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' has no password set.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password for this account.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/01/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

openSUSE Security Update : system-user-root (openSUSE-2019-1495)

Description

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues : CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) This update was imported from the SUSE:SLE-15:Update update project.

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues :

CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update was imported from the SUSE:SLE-15:Update update project.