In July this year, researchers discovered a critical Docker copy command vulnerability that gave attackers complete root control of the host and its associated containers. This copy (cp) command is used to copy files and folders to and from the containers, and the local file system.
Docker Copy Vulnerability
Researchers said that previously compromised containers were targeted by this attack. When a user runs a malicious container image from an untrusted source and executes the vulnerable cp command to copy files out of the compromised container, the attacker can escape and take full root access control of the host and all its associated containers.
As per the Palo Alto Networks report, “To copy files out of the container, Docker uses a helper process called docker-tar. “docker-tar” works by chrooting into the container, archiving the requested files and directories in it, and then passing back the resulting tar file to the Docker daemon, which is responsible for extracting it to the target directory on the host.”
The problem is that docker-tar isn’t containerized. It runs in host namespaces with all root capabilities. Thus, by injecting code into docker-tar, a malicious container gets full access. The two possible attack scenarios are that a Docker user copies some files from either:
- A container running a malicious image with bad libnss_*.so libraries.
- A compromised container where an attacker replaced the libnss_*.so libraries.
Both scenarios grant the attacker root access rights to the host.
The Fix Issued
The Docker Copy Vulnerability has been fixed and the details can be tracked under CVE-2019-14271. The severity of this vulnerability can be seen from the fact that its CVSS base score is 9.8, which makes it a highly critical issue. Docker has asked its users to upgrade themselves to version 19.03.1 and above, since the vulnerability has been patched in the said version.
Preventive Actions
As a precautionary measure, researchers suggested not running untrusted images, and when root is not required containers should be run as non-root users. This way, even if an attacker compromises the container, he cannot overwrite the container’s libraries as they are owned by the root.
Earlier in April this year, Docker had reported that hackers had accessed one of its Docker Hub databases and stolen sensitive data from around 190,000 user accounts. Docker hub is the official cloud repository for Docker container images that allows users to create a test, store, and distribute container images.
At that time, Docker said, “We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place. Our investigation is still ongoing, and we will share more information as it becomes available”
