, 11 tweets, 4 min read Read on Twitter
So, the #Alpine Linux #Docker root password issue (CVE-2019-5021) has been interesting to follow over the last few days. This is a security regression I reported earlier this year which resulted in this CVE. So, why “interesting”? (1/11)
Between posts of "this seems bad", "this isn't a vulnerability" - and a handful of rather colourful personal attacks for good measure - the impact of this issue seems to have been muddied leaving some questions as to potential impact. (2/11)
The major caveat, from my perspective, is that successful exploitation requires a specific configuration and is not exploitable on an “out of the box” Alpine image: The vulnerability exists, but there are no mechanisms to trigger it. (3/11)
Alpine symlinks 'su', 'login', and friends to a multicall binary (busybox) by default which is NOT suid root. In addition the image lacks PAM, and has no network services installed. Effectively, as shipped, it’s not exploitable. (4/11)
As a result, the likelihood of exploitation for this issue seems to be low as it requires a configuration which seems potentially uncommon. That said, there are a number of cases where successful exploitation can be demonstrated: (5/11)
Earlier yesterday @ropnop demonstrated a quick PoC of how this can occur through installation of the ‘shadow’ package and creation of a new user: (6/11).
Another avenue is the installation of a package which uses PAM as an authentication backend. One example of this is ‘vsftpd’ which is in the default Alpine repository and which also pulls in ‘linux-pam’ when installed. (7/11)
In this example, ‘/etc/vsftpd/vsftpd.conf’ was updated were to disable anonymous access, and uncommented ‘local_enable=YES’ to use the local authentication database - as we added a local user for ourselves to use (‘example’). (8/11)
With this said, these are contrived examples. However, what are base images for if not the extension by a consumer? A blank slate onto which new binaries, users, and other strata are laid in order to build out a required system. (9/11)
Accidental misconfiguration is possible, as is installation of other vulnerable packages, but the addition of a package to expose a well configured service should not result in a bonus root login for anyone that asks, either. (10/11)
...Of course, these thoughts and opinions are mine, and mine alone :) (11/11)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Darkarnium
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!