Security researchers are urging Docker customers to upgrade to the latest version after detailing a proof-of-concept (PoC) attack exploiting a critical vulnerability, which could lead to full container escape.
The CVE-2019-14271 flaw was fixed in Docker version 19.03.1, but if left unpatched could give an attacker full root code execution on the host.
“The vulnerability can be exploited, provided that a container has been compromised by a previous attack (e.g. through any other vulnerability, leaked secrets, etc.), or when a user runs a malicious container image from an untrusted source (registry or other),” explained Palo Alto Networks senior security researcher, Yuval Avrahami.
“If the user then executes the vulnerable cp command to copy files out of the compromised container, the attacker can escape and take full root control of the host and all other containers in it.”
It has been described as one of the most serious of several vulnerabilities related to the copy (cp) command detected in various container platforms such as Docker, Podman and Kubernetes over the past few years.
It’s also the first container breakout flaw since the runC vulnerability was discovered back in February.
Avrahami urged Docker developers to restrict their attack surface by never running untrusted images, and recommended they run containers as a non-root user, when root is not strictly necessary.
“This further increases their security and prevents attackers from exploiting many of the flaws that may be found in container engines or the kernel,” he added.
“In the case of CVE-2019-14271, if your container is run with a non-root user, you are protected. Even if an attacker compromised your container, he cannot overwrite the container’s libnss libraries as they are owned by root, and therefore cannot exploit the vulnerability.”
Although the vulnerability was disclosed and then patched by Docker in July, Avrahami warned that it received little public attention, “perhaps due to an ambiguous CVE description and a lack of a published exploit.”
The hope is that this first PoC will focus the minds of Docker customers, if they haven’t patched already.