CyberWire Daily - Encore: The secrets behind Docker.
Episode Date: November 26, 2022Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerabilit...y and what happens when it's exploited. CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system The research can be found here: How Docker Made Me More Capable and the Host Less Secure Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The research started as Linux capabilities research and not Docker. But as I went forward with it, I found that Docker had vulnerability and Microsoft had one too.
That's Alon Zahavi. He's a security researcher at CyberArk. The research we're discussing today
is titled, How Docker Made Me More Capable and the Host less secure.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. based on identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And with both of those vulnerabilities,
I succeeded at escalation of privileges in a Linux machine.
Well, let's start with Linux itself then.
Can you describe for us what are the capabilities here
and how do they lead us into a bit of trouble?
Traditionally, Linux had two kinds of processes.
Processes that ran with root permissions
and processes without root permissions.
Since Linux kernel version 2.2, those permissions were divided into units called capabilities.
And each capability granted the process the ability to perform certain privilege operations.
So let's take, for example, the mount syscall.
So before capabilities,
only root could have mount new images to the file system.
Right now, in order to mount this image,
a process will need to have the cap sysadmin capability.
Even if it's not root, it can be any user with any UID. And if it's got this capability, the sysadmin capability,
it can mount every image to any part of the file system.
And so what does that mean for us in terms of this vulnerability that you discovered?
As I said before, even if you are not root, but you have certain capabilities,
but you have certain capabilities, you can do certain privileged tasks.
So in case of the vulnerability I found,
if you had GDB, which is a debugger in Linux
with the capability of C-speed trace,
you can attach yourself as a debugger to any process, even if it's high privileged process.
If you had the GDB, if you had access to execute this GDB with this capability, you can do
practically anything.
You can attach yourself to a root process, which has by default all the capabilities in Linux,
and just do anything your mind limits you to.
Now, I mean, is this a fundamental flaw in the way that Linux handles this?
Or is this a particular thing that you've discovered here?
So Linux capabilities, as I said,
it's there from Linux 2.2, which is 1999.
It's been there for a long time,
but only recently with the development of cloud
and containers that we see this mechanism
started to be used.
In case of the things I found, it's been misused by mistake by some vendors.
But yeah, every time process asks to perform privileged tasks, the kernel itself checks if this process
has the capabilities to do so.
If not, it's just throwing an error
and said you can't do it, permission error.
But if you do have this capability,
it just moves on.
It's check if you have it, you can do it.
If you haven't got it, you can't do it.
So how does this affect Docker containers?
Okay, so in Docker containers, by default,
you get limited capabilities.
Because if you had all the capabilities,
if the root user from in the container had all the capabilities,
it was also the root outside the container.
So you can escape it like
if there wasn't any container jail.
So in this case, it didn't have the ability to escape a container, but because of how
Docker managed file permissions at the version that I checked, any user, unprivileged user on the host,
not the container, on the host could have access to files that are saved inside the container.
So in theory, an attacker that had both access on the host and the container itself could have done anything he wants.
He could have crafted any executable inside the container and give it any capabilities he wants or even set UID capability.
wants or even set UID capability and then move to the host, run it from there and become root,
become the most powerful user in Linux machine. Part of what I find really interesting in this research you published is you walk us through the process of how you discovered this. Can you share that story with us?
Yeah, of course.
So this research started as Linux capabilities.
I wanted to find misconfiguration or misimplementation, to be more exact,
inside the Linux kernel in order to bypass those checks,
those capabilities checks.
But as I went forward with the research,
I found that the implementation was kind of straightforward.
You know, if I talk in code, it was only an if statement.
If you got it, you got it.
If not, you don't got it.
So then I went to search who uses this mechanism.
And I found that Docker uses it a lot.
Then I scanned over 2,500 Docker images from Docker Hub and found that Microsoft
released few images that had that GDB file with file capabilities, which gives any user that executes this GDB
the capability to attach itself to any process.
Again, even root processes.
And that was the first vulnerability I found in this research.
Then, in order to execute this GDB. We needed the permissions,
you know, classic Linux file permissions.
And after looking at the files and directories
that Docker Engine produce
when you pull an image from Docker Hub,
I saw that one of the directories
where the image is saved
allows any user to execute any file
from within this directory.
And again, then I took the image I downloaded
from their website,
the Microsoft image,
and using low-privileged user on the host,
all I had to do is just find the path
and then execute the file.
From then on, I was root for any...
I was root, actually. was root actually that's it
yeah that's enough right
yeah I think that's enough
it's kind of everything
it's like the holy grail for Linux attackers
you know
right I'm imagining you sitting there
you know at your workstation
and kind of you of your eyes opening up
and wondering to yourself,
wait a minute, is this really what I think it is?
It's exactly as you said.
I worked and I tried to execute it
and I was like, nah, it shouldn't work.
No way.
And then I just press enter and it worked.
And I was sky high.
I went to my colleagues and said, oh my God, oh my God, I found it.
That was what I was searching for.
Right.
So is this a matter that you sort of alluded to this earlier that you know this feature was was introduced into
linux back in the very late 90s was it kind of sitting around because um you know back in the
90s nobody was thinking about cloud environments the way that we do today i think that it was lying
around because people didn't want to use it. You know, it messes things up.
It's not easy as either you're privileged or you're not.
This kind of mechanism gives you the ability
to create a least privileged environment.
And as I said, it messes things up.
And when you talk about cloud and containers, you have to do it.
When you're using a container which has the same kernel as the host,
you have to do it.
And if you do not do it, the attacker will have easy attack surface.
So that is why, in my opinion,
clouds and containers uses
Linux capabilities more than the traditional
Linux machines.
People should
have more thinking
about this mechanism
so people will use it
more because if more
people will use it in its
correct way
the machine will be much
more secure because
for example take the
ping command okay
it's not like this anymore because
they changed it,
but it used to be a setuid binary.
So every vulnerability you had in a ping,
which all it does is send an ICMP packet,
if you had a vulnerability there, you became root.
But with capabilities,
if you
found a vulnerability in
ping, all
you had is like, you can
send more ICMP,
you can build a raw
socket, and that's it.
You wouldn't become root,
you will have more privileges,
but you're still not root.
You're still not the most powerful user in Linux.
I see.
You're limited in what you can do within ping itself.
Yeah, yeah.
And that's not the case here.
No.
Again, the GDB, which is again a debugger
with the capability to attach itself to root processes,
it gives you the ability to, again,
to attach yourself to root processes
and change the stack and change the memory
and change the code flow, the running flow,
you can do anything.
You can inject shell codes and just change the register
that points to the next instruction
and just run this shell code.
So that's why it's so dangerous
to have this capability on that executable.
So where do we stand now in terms of
Docker itself? They've updated
this? Where are we?
The file permissions that I talked about regarding the Docker
vulnerability, it was fixed, I think, a few months ago.
So that's fixed, okay?
But that's just one vulnerability.
So Microsoft fixed their vulnerability also.
But it doesn't mean that this escalation of privileges
is not there anymore.
Okay, so Microsoft and Docker did what they had to do.
But it's now the task for the IT teams and the system administrators
to update Docker engine and to update the images.
update Docker engine and to update the images.
And they need to scan their machines, their servers,
so they know for a fact that this kind of vulnerabilities are not there anymore.
Is there anything to be done on the Linux level itself
of limiting Linux's ability to do this?
I don't think so, no.
Because this mechanism is supposed to make things more secure.
And when you use it right, it does make it more secure.
It's right for everything.
You know, if you misuse something
it will be dangerous
but when you use it correctly
it's great
really
our thanks to Alon Zahavi from CyberArk for joining us.
The research is titled, How Docker Made Me More Capable and the Host Less Secure.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Patrick, Jennifer Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.