NEW Research: The Attacker-Defender Divide  
Download now >
Contact Us
Talk to an Expert
Request a demo

Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password

May 20, 2019
Jerry Gamblin

Share with Your Network

Earlier this month, Talos released research showing that the Alpine Linux docker images were shipping with no (or nulled) root passwords. Alpine patched the docker files, and issued their response to the vulnerability here, noting that “an attacker who compromised your system via an unrelated security vulnerability, or a user with shell access, could elevate their privileges to root within the container.”

I recently wrote an article for Container Journal on the intersection of DevSecOps and container security. Since this topic has been a recent interest of mine, Talos’ research led me to wonder how widespread the issue of null passwords in containers could be. I spent some time and built this script to check the top 1000 docker containers from the Docker store.

In all, on Saturday, May 18th, when I ran the script, 201 (*correction below) of the most popular containers had nulled root passwords. Some of the most known names of that list being govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere. kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls.

The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable. These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability. (Alpine Linux, in its response, noted that before the patch, containers were only vulnerable if the shadow and linux-pam packages were installed.) Or, as researchers at Cisco put it: “The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilize Linux PAM [Pluggable Authentication Modules], or some other mechanism which uses the system shadow file as an authentication database.”

But I’d like to highlight what this finding says about how developers are using containers. Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system.

All of which is to say that many people believe that containers offer more security because they extend the trend of virtualization. I’d say that this might be true, but as my article in Container Journal shows, there’s also a chance that containers could lead to unforeseen security concerns.

*Correction: Due to receiving duplicate containers from the Docker API in my original script that I overlooked when I ran the script on Saturday I ended up only checking 794 containers with 157 of those having null rooted passwords, or still roughly 20% (19.75%). I tweaked the script to pull in 1000 containers and 194 (19.4%) of them had null rooted passwords. You can see that list here.

Share with Your Network

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities: through the lens of common asset platforms. Download the research report to learn more about the key findings: Common asset platforms and their typical risk profiles…

DOWNLOAD NOW
eBooks

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is just as critical to IT as it is to Security and DevOps.  And it’s worth getting right: Vulnerabilities can leave your most strategic assets—and your business itself—exposed to cyber threats…

DOWNLOAD NOW

Videos

Videos

Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You can learn more about the Exploit Prediction Scoring System and use the interactive calculator here: https://www.kennaresearch.com/tools/e…

READ MORE
FacebookLinkedInTwitterYouTube

© 2020 Kenna Security. All Rights Reserved. Privacy Policy.