19.4 percent of the Docker store's top 1000 containers have no root password, potentially exposing users' systems to attacks under certain conditions.
Last week, a similar flaw was found impacting the official Alpine Linux Docker image, when Talos researchers discovered that all images since v3.3 were shipping with a root account with a null password. The vulnerability meant attackers who infiltrated systems via another entry point, or users with shell (remote) access, could elevate their privileges to root within the container.
Over the weekend, security expert Jerry Gamblin built a script that checked the top 1000 docker containers from the Docker store to determine if they were impacted by the same misconfiguration.
After tweaking the script to correct for duplicates, Gamblin found that 194 of the 1000 containers he analysed had blank passwords, including images from the UK government, HashiCorp, Microsoft, Monsanto and Mesosphere.
Sources:
[Editors Comment: The submitter is employed by the first source. Alternative sources have been found for this story to verify its content.]
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @08:56PM (3 children)
This is kind of dumb.
Sure, setting a password it important, but that should be done when the container is first *run*. It should definitely not be set to a *documented* value (think 'cisco123'), since many folks won't change the root password unless they are forced to do so.
As such, on first run, all Docker containers should run a script requiring the root and any other active user accounts to change passwords *before* exposing the running container.
Apparently (and sadly), This isn't as easy as it might be:
https://stackoverflow.com/questions/22651647/docker-and-securing-passwords [stackoverflow.com]
What's more, as the above link mentions (and is detailed here: https://medium.com/@mccode/dont-embed-configuration-or-secrets-in-docker-images-7b2e0f916fdd [medium.com] ) passwords/sensitive info should never be stored in Docker containers. In fact, not storing passwords (or documenting default passwords) is discouraged.
That such passwords aren't set is a non-issue IMHO, and setting root passwords (at least without the requirement that they are changed/set when the container is first run) is both poor security practice and a recipe for pwnership.
As such, Jim Orme should probably focus on something useful if he wants us to read his site (techerati.com), as I haven't seen anything from there yet that gives me a reason not to prefer other sites over it.
(Score: 2) by janrinok on Thursday May 23 2019, @12:59AM (2 children)
Noted, your feedback is appreciated.
(Score: 2) by Whoever on Thursday May 23 2019, @04:38AM (1 child)
He should also focus on important things, not pointless scares:
https://soylentnews.org/comments.pl?noupdate=1&sid=31733&page=1&cid=846353#commentwrap [soylentnews.org]
(Score: 2, Interesting) by janrinok on Thursday May 23 2019, @06:55AM
We are investigating how best to report stories where the submitter has a professional link to the source material. It is possible that this could result in biased submissions. We can usually find additional stories to support claims made in the submission, but we feel that it is equally as important to point out to the community that the link exists so that they can better evaluate any claims made.
Currently, I am leaning towards a combination of listing additional sources and an editorial comment bringing the reader's attention to the professional link between submitter and one of the sources. We will consider what action to take when we receive a submission for which we can find no supporting sources if, and when, it occurs. One option would be to simply reject the submission but that might in some cases result in good information being lost unnecessarily. We will continue to review the matter and we welcome community feedback.