Unpatched flaw impacting all Docker versions allows root access to host file system

Developers belatedly working on fix for time-to-check-time-to-use (TOCTOU) Docker security flaw

All current versions of Docker are vulnerable to a race condition bug, which could enable attackers to acquire read-write access to any file or path on a host system from within a container.

That's according to Aleksa Sarai, a security researcher, who describes the bug as a time-to-check-time-to-use (TOCTOU) type of bug. Sarai explains that that this TOCTOU bug can offer attackers an opportunity to change file paths after resolution but before the assigned programme starts to use the resource.

According to Sarai, the vulnerability, designated CVE-2018-15664, arises from the FollowSymlinkInScope function, which is vulnerable to a basic TOCTOU attack. The purpose of FollowSymlinkInScope function is to resolve file paths in a secure way by handling the processes as if they were inside the Docker container.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.

Sarai found that in the case of docker cp, attackers can modify paths using a symlink (files having paths to other files/directories) within the container to eventually alter data on the host file system.

Sarai created proof-of-concept scripts to demonstrate how attackers can potentially exploit the flaw from within a container to alter files on the host machine.

Before publically disclosing the flaw, Sarai contacted Docker's security team and provided them all details about the hole.

Docker has not released an official fix for the bug at the time of writing. The flaw was publicly revealed only after Docker's team agreed that it would be sensible to warn users before a patch is developed.

There are no meaningful protections against this kind of attack

According to Sarai, security researchers were aware for a couple of years about the possibility of this kind of attack against Docker.

He believes that a potential attack scenario could originate through a cloud platform.

Sarai has also suggested a fix for the flaw, which involves stopping containers while the file system is in use.

"As far as I'm aware there are no meaningful protections against this kind of attack (other than not allowing "docker cp" on running containers - but that only helps with his particular attack through FollowSymlinkInScope)," Sarai said in a post.

Sarai thinks the best solution to this bug would be to alter chrootarchive which will ensure that all of the archive operations occur with the root as the container rootfs.

"In an attempt to come up with a better solution for this problem, I've been working on some Linux kernel patches which add the ability to safely resolve paths from within a rootfs," he added.

"But they are still being reviewed and it will take a while for userspace to be able to take advantage of the new interfaces."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.