This article is more than 1 year old
Docker fave Alpine Linux suffers bug miscreants can exploit to poison containers
Now that's poetic, Justicz: Update apk and images now
An infosec bod has documented a remote-code execution flaw in Alpine Linux, a distro that pops up a lot in Docker containers.
Max Justicz, researcher and creator of crowd-sourced bug bounty system Bountygraph, said on Thursday that the vulnerability could be exploited by someone with man-in-the-middle (MITM) network access, or operating a malicious package mirror, to inject arbitrary code via apk, Alpine's default package manager.
Justicz said that the vulnerability is particularly dangerous because, first, Alpine is commonly used for Docker images thanks to its small footprint, and second, most of the packages apk handles are not served via secure TLS connections, making them more susceptible to tampering.
In the worst-case scenario, the attacker could intercept apk's package requests during Docker image building, inject them with malicious code, and pass them along to the target machines that would unpack and run the code within their Docker container.
"In the default configuration of Alpine, if I can MITM the traffic going to the machine that is running that `apk` command, I can make that machine execute arbitrary code. I can also allow the Docker build command to succeed, even after my malicious code ran," Justicz told The Register.
"Once an attacker has executed their code on an image that has been built, they have complete control over what a container running from that image does in the future."
FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmackREAD MORE
The vulnerability lies in the way apk unpacks archives and deals with suspicious code. Justicz found that if the malware could be hidden within the package's commit_hooks directory, it would escape the cleanup and could then be executed as normal.
The result would be a way for an upstream miscreant or network eavesdropper to feed malware directly into the Docker container and have it run without user notification. At that point, the attacker would have their code running on the victim machine, potentially allowing for further attacks on the container or host system.
The latest version of Alpine has been updated with a fixed version of apk, and developers are being advised to rebuild their Docker images with the updated Alpine build. ®