Docker have been left waiting for a fix to a vulnerability that affects all versions of the container platform and could feasibly allow an attacker to gain access to the host and wreak wider havoc, it has emerged.
A potted description on the National Vulnerability Database says that “In Docker through 18.06.1-ce-rc2, the API endpoints behind the ‘docker cp’ command are vulnerable to a symlink-exchange attack with Directory Traversal…”
This could give attackers “arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).”
The vulnerability was discovered by Suse’s Aleksa Sarai, who disclosed the runc vulnerability which caused waves in the container world back in February. Sarai has posted a patch which is still undergoing code review, according to a seclists post dated yesterday, which also includes exploit scripts for the flaw.
Sarai wrote, “You could see this exploit as a continuation of some ‘docker cp’ security bugs that I helped find and fix more than 4 years ago in 2014[3,4] (these were never assigned CVEs because at the time it was thought that attacks which used access to docker.sock were not valid security bugs).”
“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers — but that only helps with his particular attack through FollowSymlinkInScope),” he added. “Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem — I haven’t verified if the issue is as exploitable under the default SELinux configuration on Fedora/CentOS/RHEL.”
Sarai posted his patches last week, and said his disclosure had been made with the agreement of Docker’s security team.
Docker has yet to make any public statements on the vulnerability.