A new critical race condition vulnerability in Docker

According to IT security audits specialists all versions of the Docker software are impacted by a race condition vulnerability that, if exploited, could allow hackers to access the compromised system with root privileges.

In the CVE-2018-15664vulnerability report, it is explained that the API endpoints of ‘Docker cp’, a command to copy files between the host and the container machine, are vulnerable to a symlink exchange attack with Transversal Directory.

Aleka Sarai, of the IT security audits firm SUSE, was in charge of reporting the vulnerability, as well as publishing the code for exploitation. In his report, the specialist claims that he has created a patch to correct the flaw, although the code is still under review.

The expert claims that attackers can exploit the race condition by launching the attack for a specific short time after the route is complete. “If an attacker can add a symbolic link comment to the path after the resolution but before execution, then it might end up solving the symbolic link path component on the host as the root user. In the case of the ‘Docker cp’ command, this gives hackers read and write access to any route on the host, adds the IT security audits specialists.

The National Vulnerability Database (NVD) assigned this flaw a score of 8.7 according to CVSS standards, making it a serious vulnerability. However, the NVD considers that the exploitability of the fault is only 2.2, as it is a highly complex attack.

Although there’s low in the wild exploitation probability, the specialists from the International Institute of Cyber Security (IICS) point out that there are no protective measures to mitigate the risk of exploitation in addition to the disabling of ‘ Docker CP ‘ command, so you need to consider some updating.

The expert developed exploit scripts for read access (run_read.sh) and writing (run_write.sh). Sarai mentions that both include a Docker image that contains a simple binary that makes a RENAME_EXCHANGE of a symbolic link to “/” and an empty directory in a loop, hoping to reach the race condition.