Docker Arbitrary File Read/Write Access Vulnerability

A critical race condition vulnerability has been disclosed in the Docker, tracked as CVE-2018-15664. The vulnerability affects all versions of Docker and resides in the FollowSymlinkInScope function, which is vulnerable to the time of check to time of use (TOCTOU) attack.

Affected Versions:
All Docker versions available till now.

Vulnerability:

Form the bug, it appears that FollowSymlinkInScope function used to resolve a specified path in an insecure manner by treating it as docker processes. But after the full path has been resolved, the resolved path is not used immediately. This gives an opportunity to the attacker to modify a resource in this interval to read or modify data, escalate privileges, or cause the application to behave differently.

The researcher also explained, this issue can be leveraged with the ‘docker cp‘ utility, which would give an attacker read and write access to any path on the host.

The researcher provided Dockerfile & two scripts one for writing and one for reading as Proof-of-Concept (PoC)

Conclusion:

There is no fix for this issue from Docker yet; however researcher submitted a patch upstream and is still under code review. Qualys customers can scan using QID:371805 to detect vulnerable assets.

Please continue to follow Qualys Threat Protect for more information on this vulnerability.

References & Sources:

https://www.openwall.com/lists/oss-security/2019/05/28/1

https://github.com/moby/moby/pull/39252

Leave a Reply

Your email address will not be published. Required fields are marked *