Attackers can login to root with no password on affected systems
On May 8, 2019, a potentially serious vulnerability was announced affecting the Docker Alpine Linux container image. The vulnerability allows an attacker to authenticate as the root user with no password if using Linux PAM or other authentication means. Potentially thousands of downloads of affected images have been downloaded from Docker Hub for the last 3+ years. The vulnerability, CVE-2019-5021 was discovered and disclosed by Cisco researchers. Affected versions are 3.3 or later of the official Docker Alpine Linux image.
This vulnerability does not affect the NeuVector container images, as we use a hardened version of Alpine which does not expose unnecessary services. For NeuVector customers, the vulnerability exploit risk is by default reduced in production by the enforcement of whitelist rules which detect suspicious process and network activity and can even block unauthorized connections.
The vulnerability is concerning because of the popularity of Alpine Linux and the fact that it is reported to be discovered and patched in 2015 only to re-discovered by Cisco this year. It appears that shortly after it was patched, the vulnerability was re-introduced into the Docker Hub image.
Mitigating the CVE-2019-5021 Vulnerability
There are several ways to mitigate this or prevent the possibility of exploit.
- Update the image to a fixed version of Docker Alpine Linux.
- Make sure your image does not have linux-pam or shadow installed.
- Explicitly disable the root account in images built with this vulnerability.
- Prevent deployment of affected images using Admission Control in NeuVector. The rule for blocking deployment could use either the image names or presence of specific vulnerability CVE-2019-5021.
- ‘Virtual Patch’ the vulnerability with NeuVector run-time protection. Any service in Monitor or Protect mode is being monitored for suspicious processes or network activity. The attempted exploit would be detected in at least 3 vectors:
a) Unauthorized network connection to linux-pam for attempted login.
b) Suspicious process starts in container with Alpine Linux. Note that other suspicious processes such as ssh would have already been detected.
c) After exploit, attempted lateral movement or external connection detected as unauthorized.
With NeuVector, any suspicious network connections can also be blocked. In addition, special webhook notifications can be added for a wide range of security conditions, including if CVE-2019-5021 is detected in any running production containers or hosts.