An unpatched and high-rated Docker vulnerability has been made public along with simple proof-of-concept exploit scripts. For the uninitiated, Docker is a popular set of SaaS and PaaS products which use virtualization to allow for the creation of independent containers.
Docker Vulnerability Details
On May 22, the vulnerability was announced on GitHub by Aleksa Sara, a senior software engineer at SUSE. Although Docker is keen to reassure its users that the vulnerability has yet to be exploited in the wild, there’s at least one red flag that’s still flying after the news of the flaw was published. Docker had known about the vulnerability (CVE-2018-15664) for almost a year: Aleksa Sarai, a senior software engineer at SUSUE, first made the discovery on July 8, 2018. Considering the fact that this is a high-rated vulnerability (CVSS score 8.7) that affects all published versions of Docker, it’s surprising that the firm hasn’t acted quicker to create and share a fix.
At the time of this blog going live, a patch has been promised…but hasn’t yet been delivered.
What Harm Can the Docker Vulnerability Cause?
The Docker vulnerability, if exploited, gives the attacker full read and write access to the host’s filesystem, with root privileges. In order to engage in an attack, the criminal will likely need to have local or remote access to the hosting machine. Unless an organization has poor cloud cyber hygiene practices in place, the vulnerability should only accessible via the Docker engine, and not through an application which is hosted in a public cloud.
It’s possible that the attacker could run a malicious Docker cp command in a public cloud environment which would enable them to gain access to the Docker engine host’s entire filesystem. However, most managed and secured public clouds are usually used by organizations which run Kubernetes clusters. These clusters segregate the Dockers and provide an additional level of isolation, which makes it difficult for criminals to carve an attack path through the public cloud.
What Should Skybox Customers Do?
In terms of remediating this specific vulnerability, Skybox customers with Docker products need to keep an eye out for when the patch is released. We also suggest that you encourage your cloud providers to update their infrastructure as soon as possible.
Skybox customers will be able to see when the Docker vulnerability patch is live via the Skybox Vulnerability Dictionary which will be updated with all relevant information as soon as it’s published.
Non-customers can also track this at Skybox Vulnerability Center, a free-to-use website where users can create their own profile to track vulnerability details of vendors and products of interest to them.
But aside from just sitting and waiting until the Docker vulnerability can be patched, it’s a good time to check in on your cloud cyber hygiene:
- Choose your cloud infrastructure provider carefully – when you invest in the cloud, consider where shared responsibility lines fall between you and your cloud service provider (CSP). Even if you don’t own the larger cloud infrastructure, its cyber risk and exposure should still be closely monitored. Make sure the CSP is holding up their end of the bargain.
- In terms of security within your cloud
- Enforce strict multi–factor authentication and be stringent with the authorization of managed policies
- Make sure to have backup policies in place and manage them properly — if you have too many, you’re exposed to leakage; too few, and you’re exposed to loss
- Continuously and thoroughly test your cloud network environments; model the infrastructure and incorporate vulnerabilities and threat intelligence to gain an accurate view of how susceptible you are to attacks
By staying on top of your cloud security and being confident that you have strong control measures in place, you’re reducing opportunities for attacks.
Attacks on Cloud Networks Likely to Increase in 2019: Skybox’s 2019 Vulnerability and Threat Trend Report revealed just how vulnerable to attack cloud networks are becoming, read for the full story.