Attacker Value
High
0

CVE-2019-5021

Disclosure Date: May 08, 2019 Last updated February 13, 2020

Exploitability

(5 users assessed) High
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user.

This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Easy container root if you encounter it.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I think this is a required field.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Alpine Docker prior to 7 March 2019, (edge 20190228 snapshot, v3.9.2, v3.8.4, v3.7.3, v3.6.5) do not set a root password, allowing a user to escalate to root if the user installs shadow or linux-pam. This docker image is used as a base for many custom-built docker containers and often-distributed images.

Older and unsupported containers can be mitigated by:

    # make sure root login is disabled
    RUN sed -i -e 's/^root::/root:!:/' /etc/shadow

Alternatively you could make sure that you don’t have linux-pam installed.

What common docker images use Alpine? Are any of them locked to older versions? It may be worth looking through the Docker Hub to identify commonly downloaded/starred images: https://hub.docker.com/search?q=alpine&type=image

1
Ratings
Technical Analysis

The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Required?

General Information

Technical Analysis