High
CVE-2019-5021
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-5021
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root
user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root
user.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow
or linux-pam
. This docker image is used as a base for many custom-built docker containers and often-distributed images.
Older and unsupported containers can be mitigated by:
# make sure root login is disabled RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
Easy container root if you encounter it.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
I think this is a required field.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
Required?
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- f5,
- gliderlabs,
- opensuse
Products
- big-ip controller 1.2.1,
- docker-alpine,
- leap 15.0,
- leap 15.1
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: