Slashdot Mirror

← Back to Stories (view on slashdot.org)

Docker Image Insecurity

Posted by Soulskill on from the totally-secure-for-undefined-values-of-secure dept.

An anonymous reader writes Developer Jonathan Rudenberg has discovered and pointed out a glaring security hole in Docker's system. He says, "Recently while downloading an 'official' container image with Docker I saw this line: ubuntu:14.04: The image you are pulling has been verified

I assumed this referenced Docker's heavily promoted image signing system and didn't investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.

Docker's report that a downloaded image is 'verified' is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities." Docker's lead security engineer has responded here.

3 of 73 comments (clear)

  1. What? by ArchieBunker · · Score: 5, Insightful

    Don't tell us what the fuck a docker is or anything...

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  2. Love that response by Tailhook · · Score: 4, Insightful

    A summary of that wall-of-text "response" from the Docker "lead security engineer":

    "Bullshit, bullshit v1 bullshit. Bullshit discussions about bullshit CVE bullshit. (yes we know its broken) Bullshit v2 bullshit, next version bullshit Bullshit."

    If you can't dazzle them with your intelligence, baffle them with your bullshit.

    --
    Maw! Fire up the karma burner!
  3. Re:Read the update by Todd+Knarr · · Score: 4, Insightful

    Upstream verification won't help. The client has to verify that the image it received is the same one the server verified, otherwise someone can hack a router to silently redirect the client to a malicious server and serve up whatever image they want alongside a copy of the signed manifest for the official image and you're fsckd. What they need is:

    1. The manifest has to be signed.
    2. The manifest has to contain a secure checksum (cryptographic hash) of the official image the server has.
    3. The client has to verify the signature of the manifest to confirm that the manifest hasn't been altered and comes from the official source.
    4. The client has to verify that the checksum of the image it received matches the checksum for the image in the manifest.

    5. Step 4 is apparently what's missing from the client.