Alpine Linux is a simple and resource efficient OS which was built based on muscl and Busybox. Due to these optimized features, Alpine Linux behaves as a great docker container.

A security vulnerability has been discovered in Alpine Linux docker image(since v3.3). Alpine Linux docker image has default root credentials with an empty or null password when it utilizes linux-pam or mechanisms which rely on system shadow file as an authentication database. It is a dangerous fact that the root login is enabled with a blank password. This vulnerability, assigned with CVE-2019-5021, was actually found and patched in the year 2015. But, it was re-introduced in December 2015.


What is the vulnerability about?

Alpine Linux docker images have an empty or null password for the ‘root’ user when it utilizes shadow or linux-pam packages. Any non-root user who is logged into the system can elevate their privileges to root within the container. The non-root user can take full control of the container by elevating privileges to root.


CVSS v3.0 Severity and Metrics:
Base Score: 9.8 HIGH
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 Severity and Metrics:
Base Score: 10.0 HIGH
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C


Affected OS: Alpine Linux Docker image versions 3.3 through 3.9 with shadow or linux-pam installed.

Affected component: Authentication database like System Shadow file (/etc/shadow) or Linux PAM


Are your Alpine Linux container subjected to this vulnerability?

Alpine Linux containers can be identified whether they are vulnerable or not by checking the /etc/shadow file in the system. The container is vulnerable if the root password field is empty as shown below,

Vulnerable: Alpine Linux Docker container 3.5.3

 

The patched container has updated /etc/shadow file to include ‘!’ for root user. Here ‘!’ or ‘*’ means that the root login is locked to edit, whereas an empty password means that it is subjected to the attack.

Non Vulnerable: Alpine Linux Docker container 3.9.2


The below shell script can be used to know whether your Alpine container is vulnerable or not:

#!/bin/bash

var=$(grep -shoP "root:(.*?):" /etc/shadow)
echo $var
var=${var:5:-1}
if [ "$var" == "!" ]
then
echo "System is patched"
elif ["$var" == ""]
then
echo "System is vulnerable"
fi

Mitigation:

Upgrade your images to the supported non-vulnerable versions.

Fixes are provided only to the supported Alpine Linux Docker image versions 3.6, 3.7, 3.8 and 3.9. Users who are using vulnerable images can upgrade to the below mentioned patched versions:

  • v3.9.2
  • v3.8.4
  • v3.7.3
  • v3.6.5

Workaround:
1) This vulnerability can be mitigated by disabling the root account in the docker images that are built using affected alpine versions as a base. And the root account can be disabled by updating /etc/passwd file as shown below.

root:x:0:0:root:/root:/bin/bash => root:x:0:0:root:/root:/sbin/nologin

Summary
Article Name
Watch out for Alpine Linux Docker Image Root login Vulnerability
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>