A security vulnerability in the Official Docker images based on the Alpine Linux distribution allowed for more than three years logging into the root account using a blank password.
Tracked as CVE-2019-5021, the vulnerability has a critical severity score of 9.8. It was initially reported in build 3.2 of Alpine Linux Docker image and patched in November 2015, with regression tests added to prevent it from occurring in the future.
Bug regresses, remains unnoticed
However, a new commit was pushed later that year to simplify the regression tests.
“This lead to logic that may have caught this regression being simplified, causing these tests to be incorrectly ‘satisfied’ if the root password was once again removed,” Cisco Talos says in a report today.
A subsequent commit removed the “disable root by default” flag from the ‘edge’ build properties file, allowing the bug to regress in the next builds of the image, starting v3.3 to 3.9.
The result was a blank sp_pwdp field in /etc/shadow – the configuration file user account management where passwords are saved in encrypted form, allowing logging as root without typing in any password.
Peter Adkins of Cisco Umbrella found the problem again earlier this year and put it into the limelight. The official Alpine Linux Docker image has over 10 million downloads.
The vulnerability was fixed and closed on March 8, 2019, but it could have been solved sooner as it was rediscovered and reported on Agust 5. It slipped through because it was not flagged as a security problem.
All supported builds have been updated and are “now only generated from upstream minirootfs tarballs,” shows a commit from Natanael Copa, the creator of Alpine Linux. Release and update scripts have been refactored and moved to the official Alpine Linux image repository on the Docker portal.
To mitigate the issue on systems that still run vulnerable builds of the Alpine Linux container, Cisco Talos recommends disabling the root account.
“The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM [Pluggable Authentication Modules], or some other mechanism which uses the system shadow file as an authentication database,” Cisco Talos says.