19.4 percent of the Docker store's top 1000 containers have no root password, potentially exposing users' systems to attacks under certain conditions.
Last week, a similar flaw was found impacting the official Alpine Linux Docker image, when Talos researchers discovered that all images since v3.3 were shipping with a root account with a null password. The vulnerability meant attackers who infiltrated systems via another entry point, or users with shell (remote) access, could elevate their privileges to root within the container.
Over the weekend, security expert Jerry Gamblin built a script that checked the top 1000 docker containers from the Docker store to determine if they were impacted by the same misconfiguration.
After tweaking the script to correct for duplicates, Gamblin found that 194 of the 1000 containers he analysed had blank passwords, including images from the UK government, HashiCorp, Microsoft, Monsanto and Mesosphere.
Sources:
- https://techerati.com/news-hub/19-of-the-most-popular-docker-containers-have-no-root-password/
- https://www.infosecurity-magazine.com/news/fifth-of-docker-containers-have-no-1/
- https://www.bleepingcomputer.com/news/security/194-of-the-top-1000-docker-containers-don-t-have-root-passwords/
[Editors Comment: The submitter is employed by the first source. Alternative sources have been found for this story to verify its content.]
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @05:59PM (1 child)
It's crazy how reckless this is becoming. I think there was more security in the old days when websites belonged to a "ring of trust". Talk about setting the bar looooooow.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @06:03PM
https://i.kym-cdn.com/photos/images/newsfeed/000/885/519/eef.png [kym-cdn.com]
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @06:31PM
Why isn't a password a requirement instead of an option? Perhaps provide an option to skip passwords for whatever reason, but that switch should be "off" by default. Hosters should deny or at least warn uploaders if there is no password set. Otherwise, "the cloud" will get a bad name and hurt their business.
(Score: 3, Informative) by ikanreed on Wednesday May 22 2019, @06:47PM (2 children)
Daemon runs as root, any docker run command can take arbitrary volumes, run commands often controlled by swarm config files in unprotected spaces, container buffer overruns are still real physical threads on the host system, the fact that group docker is the same thing as group sudoer.
Only a little of that affects the use cases for docker I have where I work. This one not at all.
The solutions of this particular problem for a sensible developer are pretty easy though
Then you can set it to whatever you want at build time, without having the password kept in an insecure place like a git repo
(Score: 4, Interesting) by epitaxial on Wednesday May 22 2019, @08:00PM (1 child)
Docker is just a product of a larger problem. Code is so fragmented and broken that only the author can compile it. So instead of cleaning up the problems they just make a container.
(Score: 4, Informative) by ikanreed on Wednesday May 22 2019, @08:36PM
Yeah, it does seem to be abused that way.
My use case for it is a little more particular. We want to be able to certify to a third party that we can re-run exactly the same code in exactly the same way 15 years after it was run the first time, bugs and all. Sticking all the code and all the system dependencies into a sealed image we can file away forever is a nice choice.
There is another case for it though, where it's not just a lampshade on laziness and bad docs. Dynamic scaling. To be able to deploy particular applications to more nodes as demand increases is kind of a hard problem without docker. Doing a flat clone brings environment stuff that gets in the way. Rebuilding Just In Time style doesn't scale rapidly enough for anything realtime. It fits a neat niche, without needing a homeroll solution.
(Score: 5, Informative) by NewNic on Wednesday May 22 2019, @06:54PM (1 child)
How much of an issue this is depends on other settings. A blank password does not automatically mean that a user can authenticate as root. Instead, it may mean that no-one can authenticate as root -- instead you must log in as a regular user and use sudo to get root access. This is the default on Debian and many Debian-derived distros.
From the PAM documentation:
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by progo on Thursday May 23 2019, @02:07AM
... and I haven't been pwned. Switching from user 'progo' to 'root' is allowed. Logging in as 'root' is not. This is how Ubuntu is supposed to work, and I hear Ubuntu is a rather popular server OS.
(Score: 2, Touché) by fustakrakich on Wednesday May 22 2019, @08:35PM (2 children)
What's a Docker Container?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @09:39PM (1 child)
I was thinking it's a large shipment of Levi's casual pants.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @10:47PM
I was thinking Sperry deck shoes . . . passwords instead of laces? Makes no sense.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @08:56PM (3 children)
This is kind of dumb.
Sure, setting a password it important, but that should be done when the container is first *run*. It should definitely not be set to a *documented* value (think 'cisco123'), since many folks won't change the root password unless they are forced to do so.
As such, on first run, all Docker containers should run a script requiring the root and any other active user accounts to change passwords *before* exposing the running container.
Apparently (and sadly), This isn't as easy as it might be:
https://stackoverflow.com/questions/22651647/docker-and-securing-passwords [stackoverflow.com]
What's more, as the above link mentions (and is detailed here: https://medium.com/@mccode/dont-embed-configuration-or-secrets-in-docker-images-7b2e0f916fdd [medium.com] ) passwords/sensitive info should never be stored in Docker containers. In fact, not storing passwords (or documenting default passwords) is discouraged.
That such passwords aren't set is a non-issue IMHO, and setting root passwords (at least without the requirement that they are changed/set when the container is first run) is both poor security practice and a recipe for pwnership.
As such, Jim Orme should probably focus on something useful if he wants us to read his site (techerati.com), as I haven't seen anything from there yet that gives me a reason not to prefer other sites over it.
(Score: 2) by janrinok on Thursday May 23 2019, @12:59AM (2 children)
Noted, your feedback is appreciated.
(Score: 2) by Whoever on Thursday May 23 2019, @04:38AM (1 child)
He should also focus on important things, not pointless scares:
https://soylentnews.org/comments.pl?noupdate=1&sid=31733&page=1&cid=846353#commentwrap [soylentnews.org]
(Score: 2, Interesting) by janrinok on Thursday May 23 2019, @06:55AM
We are investigating how best to report stories where the submitter has a professional link to the source material. It is possible that this could result in biased submissions. We can usually find additional stories to support claims made in the submission, but we feel that it is equally as important to point out to the community that the link exists so that they can better evaluate any claims made.
Currently, I am leaning towards a combination of listing additional sources and an editorial comment bringing the reader's attention to the professional link between submitter and one of the sources. We will consider what action to take when we receive a submission for which we can find no supporting sources if, and when, it occurs. One option would be to simply reject the submission but that might in some cases result in good information being lost unnecessarily. We will continue to review the matter and we welcome community feedback.
(Score: 0) by Anonymous Coward on Tuesday May 28 2019, @06:48PM
If someone who deploys docker containers in a production environment does not set a password to it when deploying it, they deserve to be hacked, beaten and then start working to a job they should be doing on the first place: fry eggs in a fast food shithole.
Noone in the right mind uses docker containers in production anyways.