Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password
According to Talos, the Alpine Linux docker images were shipping with no root passwords since the starting of the month. Alpine patched the docker files since then and stated that “an attacker who compromised your system via an unrelated security vulnerability, or a user with shell access, could elevate their privileges to root within the container.”
According to research conducted by Talos, it was revealed that official Alpine Linux Docker images are shipped with nulled root passwords, since December 2015.The report from Talos leads to an investigation, which revealed that nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password.
Alpine has already addressed the vulnerability since the report was released.With a CVSS score of 9.8 and rated Critical, the issue was that, in the affected images, the /etc/shadow file had a blank field instead of the encrypted password, meaning that the system considered the root user as having no password.
“Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user,” Talos reported.
The findings from Talos lead Jerry Gamblin, Principal Security Engineer, Kenna Security, to investigate further to check if the containers also had null passwords by writing a script to check the top 1,000 docker containers from the Docker store.
At the end of the investigation, he found out that nearly 20% of had null root passwords. The initial run showed over 200 containers with nulled root passwords, but the results contained duplicate containers.
On the second run, it was found that 157 of 794 containers had null passwords for root. Later, after a few modifications, it was found that 194 (19.4%) of 1000 containers were in the same situation.
The most popular container on the list is kylemanna/openvpn, with over 10,000,000 pulls. govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere are also on the list.
As Gamblin points out, these containers are not necessarily vulnerable, as other conditions must also be met for exploitation. In Alpine Linux’ case, the containers were only vulnerable if the shadow and linux-pam packages were installed.