Contain yourself, Docker: Race-condition bug puts host machines at risk... sometimes, ish

Tricky to exploit in the real world, which is good because no official fix is available yet

A vulnerability in all versions of Docker can be potentially exploited by miscreants to escape containers' security protections, and read and write data on host machines, possibly leading to code execution.

This is according to senior SUSE software engineer Aleksa Sarai, who said the flaw is a race condition bug in which a file path is changed after it has been checked as valid, and, crucially, before it is used.

The flaw, designated CVE-2018-15664, can be, in certain circumstances, abused to read and write arbitrary files on the host with root permissions from within a container, Sarai explained on Tuesday. This is possible provided there are no file system restrictions on the Docker daemon, such as those imposed by AppArmor.

And the most likely attack scenario requires a miscreant to be active within a container when a host administrator runs docker cp to copy data in or out of the container, at which point the attacker strikes to potentially alter the underlying host file system.

So, not really an emergency, yet more than a mild annoyance at this stage.

Behind the scenes

At the heart of the vulnerability is a function called FollowSymlinkInScope, which is used by Docker to resolve file paths. What Sarai found was that, in the case of docker cp, the paths could be modified using a symlink within the container to instead alter data on the host file system.

"If an attacker can add a symlink component to the path after the resolution but before it is operated on, then you could end up resolving the symlink path component on the host as root," Sarai told The Register. "An example might be some cloud management service which allows users to copy configuration files into containers (or to read files from within a container.)"

Though Sarai's disclosure focuses on docker cp, he noted that the root cause of the issue goes much deeper.

"The core flaw here is that there is an assumption that a path inside a container can be safely cleaned up to be as-is by a privileged process," he explained, "and any Docker endpoint which touches FollowSymlinkInScope might be vulnerable."

Docker CEO Steve Singh, Dockercon 19

Docker made itself popular with devs. Now it has to make itself essential for biz. But how? Ah ha! Pay-as-you-go enterprise features


To demonstrate the vulnerability in action, Sarai crafted a set of proof-of-concept scripts that show how the flaw can potentially be exploited from within a container to change files on the host machine. Sarai notified Docker's security team privately of the hole ahead of this week's public disclosure.

The PoC only works around one per cent of the time (race conditions are notoriously hard to recreate), but with repeated attempts, Sarai said, it can be reliably performed in around 10 seconds, most of the time.

Thus far, the bug hunter noted, there is no official fix available, and Docker has not said when a patch may be out. The company declined to comment. Sarai went public with the bug after the Docker security team agreed it would be better to alert customers while a patch is developed.

"The most complete solution to this problem would be to modify chrootarchive so that all of the archive operations occur with the root as the container rootfs (and not the parent directory, which is what causes the vulnerability since the parent is attacker-controlled)," said Sarai in his suggested solution.

"Unfortunately, changes to this core piece of Docker are almost impossible (the TarUntar interface has many copies and reimplementations that would all need to be modified to be able to handle a new 'root' argument).

"So, we instead settle for the next-best option which is to pause the container during our usage of the filesystem. This is far from an ideal solution (you can imagine some attack scenarios such as shared volume mounts) where this is ineffectual but it does block the most basic attack."

Thus, so far, the proposed fix would be to pause containers during file operations, though that is unsatisfactory. Another short-term mitigation would be to disable docker cp. Sarai plans to continue to work on fixing the bug from within Linux.

"In an attempt to come up with a better solution for this problem, I've been working on some Linux kernel patches which add the ability to safely resolve paths from within a rootfs," the engineer added. "But they are still being reviewed and it will take a while for userspace to be able to take advantage of the new interfaces." ®

Other stories you might like

  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022