Root account misconfigurations found in 20% of top 1,000 Docker containers

Issue similar to Alpine Linux's CVE-2019-5021 impacts 194 other Docker images.
Written by Catalin Cimpanu, Contributor
Image: Docker, ZDNet

Around 20% of the top 1,000 most popular Docker containers on the Docker Hub portal are impacted by a misconfiguration that can expose users systems to attacks, under certain conditions.

The flaw is similar to the one that impacted the official Alpine Linux Docker container last week when Cisco Talos researchers found that Alpine Linux Docker images released in the past three years came with an active root account that used a blank password.

Over the weekend, Jerry Gamblin, principal security engineer at Kenna Security, looked into the depth of this problem across the entire Docker Hub package repository.

194 potentially dangerous Docker containers

"I pulled the top 1000 Docker containers from Docker Hub and looked in the /etc/shadow file for root:::0::::: which means the root account is active, but does not have a password," Gamblin told ZDNet in an email yesterday.

He said he found 194 Docker images that were also setting up root accounts with blank passwords.

Some of the more famous names in the researcher's list included containers from Microsoft, Monsanto, HashiCorp, Mesosphere, and the UK government.

"kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls," Gamblin said in a blog post documenting his findings.

Not a widespread issue. It's a per-install risk.

To be clear, this misconfiguration does not pose a direct threat to all users. Only Linux systems that are configured to utilize Linux PAM [Pluggable Authentication Modules] and /etc/shadow for authentication are vulnerable, as the Alpine Linux team explained.

"After checking 1,000 containers and discovering that 20% of them have this configuration, it became clear that end users should be aware of, identify, and address this type of misconfiguration as a best practice when they decide to use any container in their environment," Gamblin told ZDNet.

The researcher published the list of potentially vulnerable Docker containers on GitHub so users of these Docker images can review their system configurations and determine if they are one of the few that are impacted.

"I have reached out to a handful of companies and individuals on the list directly," the researcher told us when we asked about his responsible disclosure efforts. "To my knowledge, Docker Hub does not have a way to contact them for issues with individual containers."

"I hope that my research on CVE-2019-5021 will make this issue more transparent to container maintainers," Gamblin said.

Cloud services: 24 lesser-known web services your business needs to try

More vulnerability reports:

Editorial standards