Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password
Earlier this month, Talos released research showing that the Alpine Linux docker images were shipping with no (or nulled) root passwords. Alpine patched the docker files, and issued their response to the vulnerability here, noting that “an attacker who compromised your system via an unrelated security vulnerability, or a user with shell access, could elevate their privileges to root within the container.”
I recently wrote an article for Container Journal on the intersection of DevSecOps and container security. Since this topic has been a recent interest of mine, Talos’ research led me to wonder how widespread the issue of null passwords in containers could be. I spent some time and built this script to check the top 1000 docker containers from the Docker store.
In all, on Saturday, May 18th, when I ran the script, 201 (*correction below) of the most popular containers had nulled root passwords. Some of the most known names of that list being govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere. kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls.
The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable. These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability. (Alpine Linux, in its response, noted that before the patch, containers were only vulnerable if the shadow and linux-pam packages were installed.) Or, as researchers at Cisco put it: “The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilize Linux PAM [Pluggable Authentication Modules], or some other mechanism which uses the system shadow file as an authentication database.”
But I’d like to highlight what this finding says about how developers are using containers. Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system.
All of which is to say that many people believe that containers offer more security because they extend the trend of virtualization. I’d say that this might be true, but as my article in Container Journal shows, there’s also a chance that containers could lead to unforeseen security concerns.
*Correction: Due to receiving duplicate containers from the Docker API in my original script that I overlooked when I ran the script on Saturday I ended up only checking 794 containers with 157 of those having null rooted passwords, or still roughly 20% (19.75%). I tweaked the script to pull in 1000 containers and 194 (19.4%) of them had null rooted passwords. You can see that list here.