Docker's latest security scare shows that even when you take all the right steps to secure your containers, you may still fall victim to basic architectural flaws.
Security researcher Aleksa Sarai sounded the alert late in May, revealing an inherent flaw in the way that Docker containers manage file path names. The bug potentially gives an attacker read and write access to any file path on the host machine.
The problem lies with the FollowSymlinkInScope function, which takes a path to a file on a host machine and resolves it as though the process was running inside the container. The function is vulnerable because it doesn't use the file path immediately after resolving it. This waiting time creates a race condition, which could enable an attacker to change the path, pointing to another file they wanted.
An immediate attack vector is docker cp, which is the utility that containers use to copy files between a host system and a container.
“There is no released Docker version with a fix for this issue at the time of writing,” warned Sarai, adding that he had submitted a patch which was undergoing upstream review.
This patch would force the host operating system to pause a container while it uses the file system. It's far from ideal, but it would block the most basic forms of attack, he added.
How serious is this? Any zero-day is a potential danger, and a successful exploit could give an attacker control of the host filesystem.
To do that, though, an attacker would need to be operating inside a container (meaning that it was already compromised), and they'd need to try and modify a file at the same time as the user was copying them using docker cp. That gives them only a few milliseconds to mount the attack, Docker told us, adding that it would fix the problem in its next monthly release.
Attacks are certainly possible. Sarai included two scripts that could exploit the flaw, which is classified as High in the National Vulnerability Database.
“As far as I'm aware there are no meaningful protections against this kind of attack (other than not allowing 'docker cp' on running containers, -- but that only helps with his particular attack through FollowSymlinkInScope),” he warned.
Docker said that manually running the docker pause command while running docker cp is a good workaround until it fixes the issue. You can also run AppArmor, which lets you impose security restrictions on the Linux kernel.
The topic of Cloud Security will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cloud Security here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
