Attacker Value
High
(5 users assessed)
Exploitability
High
(5 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-5021

Disclosure Date: May 08, 2019
CVE-2019-5021 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user.

Add Assessment

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.

Older and unsupported containers can be mitigated by:

    # make sure root login is disabled
    RUN sed -i -e 's/^root::/root:!:/' /etc/shadow

Alternatively you could make sure that you don’t have linux-pam installed.

What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image

Log in to Add Reply
2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Easy container root if you encounter it.

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I think this is a required field.

Log in to Add Reply
1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Common in enterpriseDifficult to patchEasy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Required?

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Alpine Linux Alpine Docker 3.3 Alpine Docker 3.4 Alpine Docker 3.5 Alpine Docker 3.6 Alpine Docker 3.7 Alpine Docker 3.8 Alpine Docker 3.9 Alpine Docker Edge
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
https://twitter.com/ropnop/status/1126554942418894852
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • f5,
  • gliderlabs,
  • opensuse

Products

  • big-ip controller 1.2.1,
  • docker-alpine,
  • leap 15.0,
  • leap 15.1
Technical Analysis