Docker Image Vulnerability Scanning

CVE-2019-5021: Alpine Docker Image ‘null root password’ Vulnerability

A new vulnerability that impacts Alpine Docker images was published last week. The vulnerability is due to the ‘root’ user password which is set, by default, to NULL on Alpine Docker images from version 3.3 or higher.

This CVE does not impact Alpine distros that are not delivered as Docker images.

Containers that are based on the vulnerable Alpine image and have applications that utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the ‘root’ user. This may create a scenario in which a non-root user can bypass the authentication process and gain root access inside the container.

Are Your Alpine Images Vulnerable?

To identify whether your image is vulnerable, go to a running Alpine container and execute the following command: 

$ cat /etc/shadow | grep root

A vulnerable container has the following output:

root:::0:::::

The /etc/shadow file stores the user’s password in an encrypted format. It has a special format in which each line has the user name and fields (separated by a colon) that specifies information about the password, such as the encrypted password, change time, and expiration time.

The second field in the root account of the vulnerable Alpine image is empty. This means that the password is set to NULL.

To fix this vulnerability, use new images for Alpine where the root’s password is set to “!”. This indicates that the root user cannot be used for login applications and you cannot log in to the system with this user. (You can still run applications under this user.)

A fixed Alpine image has this root record:

root:!::0:::::

Update Alpine Images to the Latest Release

First, we recommend that you update your Alpine-based images to the latest release.

The issue was fixed in the following Docker image releases (March 7, 2019):

  • edge (20190228 snapshot)
  • 9.2
  • 8.4
  • 7.3
  • 6.5

Versions 3, 4, and 5 are EOL and are still vulnerable, with no available fix. 

Using Aqua to Detect and Mitigate This Vulnerability

Use Aqua's image assurance policies to verify whether your images have an empty root password. Create a script that checks for the CVE-2019-5021 vulnerability:

1. Create a script that checks for the CVE-2019-5021 vulnerability:

#!/bin/sh

if [ $(cat /etc/shadow | grep ^root::) ]; then echo "Image is vulnerable with CVE-2019-5021"; exit 1; else echo "Image is not vulnerable"; exit 0; fi

2. Upload this script to the Custom Scripts library:

1-CustomScriptlibrary

3. Create an Image Assurance policy that checks images for the empty ‘root’ account password:

2-ImageAssurancePolicy

4. Scan an image. An image, whose /etc/shadow has a null root user, fails the custom compliance check:
3-imagevulnerable-1
(This screenshot was taken on an Alpine:3.9 image before it was fixed.)

You can also check if shadow or linux-pam packages are installed. These packages are necessary in order to exploit this vulnerability. To check for these packages, add the Package Blacklist control to the Image Assurance policy: 

4-package-blacklist

Picture of Amir Jerbi

Amir Jerbi

Amir is the Co-Founder and CTO at Aqua. Amir has 20 years of security software experience in technical leadership positions. Amir co-founded Aqua with the vision of creating a security solution that will be simpler and lighter than traditional security products. Prior to Aqua, he was a Chief Architect at CA Technologies, in charge of the host based security product line, building enterprise grade security products for Global 1000 companies. Amir has 14 cloud and virtual security patents under his belt. In his free time, Amir enjoys backpacking in exotic places.

Docker Security, Image Vulnerability Scanning, Container Vulnerability, Thin OS

Related Posts