Contain Yourself, Docker: Race-condition Bug Puts Host Machines at Risk... Sometimes, Ish (May 28, 2019)
A vulnerability in all versions of Docker, a widely used platform for deploying applications, has been discovered by Aleksa Sarai. The vulnerability can potentially be exploited to read and write on host machine, bypass container security protections and execute code. Exploiting this vulnerability, can allow a threat actor to alter the host file system when a host administrator is copying data in or out of a docker container. Using a symlink, term for a file that contains another reference to another file or directory, the host file system paths could be altered that could enable the host file system to also be altered. The research suggests that changes to docker are almost impossible, with less ideal fixes such as such as pausing containers during file operations being the suggested fix.
Recommendation: Part of this attack can be mitigated by not allowing “docker cp” on running containers, however there is currently no protections against this type of attack. The best option includes changing a core part of Docker, which is not feasible, another option is to pause the container when using the filesystem.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.