A fifth of the world’s most popular Docker containers contain a security issue which could make them vulnerable to attack in some circumstances, a researcher has discovered.
Kenna Security principal security engineer, Jerry Gamblin, explained that after recent Cisco Talos research revealed Alpine Linux docker images were shipping with no (nulled) root passwords, he decided to dig a little deeper.
Running a script on the 1000 most popular containers in the Docker store, he found 194 (19.4%) also had nulled root passwords.
“The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable,” he explained.
“These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability.”
Specifically, only containers which use Linux pluggable authentication modules (PAM) or “some other mechanism which uses the system shadow file as an authentication database” are vulnerable to exploitation, as Cisco detailed.
The most popular container on the list affected by the issue was kylemanna/openvpn: a software unit that has been used over 10 million times, according to Gamblin.
Other names on the list included govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere.
In the Alpine Linux case, exposed containers could find they are at risk of Docker image vulnerability (CVE-2019-5021), whereby an attacker can elevate their privileges to root within the container.
“Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” argued Gamblin.