Alpine Linux Docker images distributed via the official Docker Hub portal for the past three years and a half have been using a blank (NULL) password for the root account, security researchers from Cisco have revealed today.
All Alpine Linux Docker images, since v3.3, are impacted, Cisco Talos said today in a security alert.
The issue was first discovered back in August 2015, patched in November, then accidentally re-opened three weeks later, in December 2015, only to be re-discovered again by a Cisco Umbrella researcher in January this year. The issue was initially thought to impact only the Glider Labs Alpine Linux Docker image, but it was later discover to impact the official image as well.
Servers and workstations that have been provisioned/installed from Alpine Linux Docker images are now at risk of being hijacked by attackers who can authenticate using the root user and no password.
Web-facing systems are facing the greatest risks, but internal systems shouldn't be ignored either.
While new Alpine Linux images have been released on Docker Hub, existing systems should be modified to either disable the root account or, at least, set a custom password.
Companies and users who have older Alpine Linux Docker images integrated inside (re)install scripts/routines should modify the Docker image to disable the root account or update to a newer Alpine Linux Docker image, to be on the safe side.
"The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM [Pluggable Authentication Modules], or some other mechanism which uses the system shadow file as an authentication database," Cisco said today.
For security researchers and system administrators tracking vulnerabilities via CVE identifiers, this flaw's identifier is CVE-2019-5021.
Alpine Linux is one of the most popular Linux distros on the Docker Hub, with over 10 million downloads. It is also the second search result returned when searching Linux on Docker Hub.
More vulnerability reports:
- Dell laptops and computers vulnerable to remote hijacks
- Security flaws in 100+ Jenkins plugins put enterprise networks at risk
- Security flaw lets attackers recover private keys from Qualcomm chips
- New Oracle WebLogic zero-day discovered in the wild
- Nokia 9 buggy update lets anyone bypass fingerprint scanner with a pack of gum
- Over two million IoT devices vulnerable because of P2P component flaws
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic