Recently from SUSE's security experts Aleksa Sarai announced a number CVE-2018-15664 of docker-related high-risk security vulnerabilities, CVSS vulnerability score of 8.7, the impact was to cover all docker releases, an attacker could exploit the vulnerability escape from the container read take or tamper with host files in any container or other current docker official has been given a temporary program to reduce the attack surface and will release the next version is released.
Vulnerability Description
The root of the vulnerability is triggered due to the use of FollowSymlinkInScope TOCTTOU function (time-of-check-to -time-of-use) file system race condition defect. This function codes are used in the source code more docker, the most direct is the docker cp command. According to the description of Sarai: FollowSymlinkInScope role is running in the container file path resolution process, the attacker can use the gap between the completion of parsing and checking operations performed cp modified symbolic link file to a corresponding target files, so theoretically the An attacker could gain access to any file on the host or other container within the root.
According to the official explanation, the attacker must first have permission and access to the target container docker cp command, and the attack could only happen in parsing the file copy process to complete the implementation of copy operation within the millisecond window. Attacks have a certain degree of difficulty and considerable professional background, so the relevant user docker container need not be too alarmed, let's introduce the relevant progress in repairing the vulnerabilities.
Remedy:
Fortunately, "docker cp" command is unique within the scope of the vulnerability exposed external interfaces , docker community soon given temporary rehabilitation program , in this scheme, the official recommend the use of execution before docker cp command docker pause command and execute docker unpause after the cp command. In the release version of the next month, pause and unpause command will be automatically added to the process to run cp command, tampering block copy by way of the process of freezing container container file data.
At the same time, Sarai also pointed out the fundamental fix the vulnerability that modify chrootarchive archive logic, you need to use rootfs root as a container (not the parent directory, as it may have been controlled by an attacker). Because chrootarchive belong docker underlying source code, change will affect as Tar / Untar and other relevant interface, and therefore has not fundamentally repair, but the current pr-related repair has been submitted, I believe the community has also been a corresponding patch program . In addition Sarai also made in the kernel-level modifications , of course, underlying this modification should not be applied to fix the vulnerability docker in the short term to go.
How to guard against short-term:
The vulnerability attack the premise that the attacker has docker cp command usage rights, Ali cloud cluster container service is enabled by default RBAC-based access control, there is no unauthorized users access to the cp command in the container. For an attacker could obtain illegal access to the cp command, we give below a few suggestions:
1) control the use of docker cp command
2) is performed before and after the docker cp docker pause command and Unpause Docker
. 3) rational use of tools such as AppArmor limit access to the sensitive host directory in the vessel to monitor the relevant audit