Slashdot Mirror

← Back to Stories (view on slashdot.org)

Docker Image Insecurity

Posted by Soulskill on from the totally-secure-for-undefined-values-of-secure dept.

An anonymous reader writes Developer Jonathan Rudenberg has discovered and pointed out a glaring security hole in Docker's system. He says, "Recently while downloading an 'official' container image with Docker I saw this line: ubuntu:14.04: The image you are pulling has been verified

I assumed this referenced Docker's heavily promoted image signing system and didn't investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.

Docker's report that a downloaded image is 'verified' is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities." Docker's lead security engineer has responded here.

5 of 73 comments (clear)

  1. What is this new madness? by tgibson · · Score: 3, Insightful

    I'm about to leave for Sears, inseam and waist measurements in hand. And here I read that my image security is at risk. I better find a new brand of pants I guess.

  2. What? by ArchieBunker · · Score: 5, Insightful

    Don't tell us what the fuck a docker is or anything...

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  3. Love that response by Tailhook · · Score: 4, Insightful

    A summary of that wall-of-text "response" from the Docker "lead security engineer":

    "Bullshit, bullshit v1 bullshit. Bullshit discussions about bullshit CVE bullshit. (yes we know its broken) Bullshit v2 bullshit, next version bullshit Bullshit."

    If you can't dazzle them with your intelligence, baffle them with your bullshit.

    --
    Maw! Fire up the karma burner!
  4. Re:Read the update by Todd+Knarr · · Score: 4, Insightful

    Upstream verification won't help. The client has to verify that the image it received is the same one the server verified, otherwise someone can hack a router to silently redirect the client to a malicious server and serve up whatever image they want alongside a copy of the signed manifest for the official image and you're fsckd. What they need is:

    1. The manifest has to be signed.
    2. The manifest has to contain a secure checksum (cryptographic hash) of the official image the server has.
    3. The client has to verify the signature of the manifest to confirm that the manifest hasn't been altered and comes from the official source.
    4. The client has to verify that the checksum of the image it received matches the checksum for the image in the manifest.

    5. Step 4 is apparently what's missing from the client.

  5. Summary is scaremongering by Anonymous Coward · · Score: 2, Insightful

    Read the article, summary makes it sound as if Docker doesn't verify the checksums and it does. What his complaint is, that it verifies the checksum AFTER decompress, de-tar'ing from a HTTPS source, and only does a cursory check on the TAR file.

    He complains that the check on the TAR file is imperfect, which is true, and that the act of unpacking might reveal a vulnerability in the unpacker which could compromise the machine.

    So, to be clear, his proposed attack is "intercept the https source" (which is possible by the NSA/GCHQ due to the certificate authority weakness), they then send a TAR which triggers a bug in unpack and takes control of a machine (which surely needs this untar bug to be fixed rather than docker to slap a fix around it), and then creates a plausible clean version sent to Docker to be verified.

    It's then presented on slashdot, as "docker doesn't verify signatures" which is misleading to the point of deception.