An infosec bod has documented a remote-code execution flaw in Alpine Linux, a distro that pops up a lot in Docker containers.
Max Justicz, researcher and creator of crowd-sourced bug bounty system Bountygraph, said on Thursday that the vulnerability could be exploited by someone with man-in-the-middle (MITM) network access, or operating a malicious package mirror, to inject arbitrary code via apk, Alpine’s default package manager.
Justicz said that the vulnerability is particularly dangerous because, first, Alpine is commonly used for Docker images thanks to its small footprint, and second, most of the packages apk handles are not served via secure TLS connections, making them more susceptible to tampering.
In the worst-case scenario, the attacker could intercept apk’s package requests during Docker image building, inject them with malicious code, and pass them along to the target machines that would unpack and run the code within their Docker container.
The vulnerability lies in the way apk unpacks archives and deals with suspicious code. Justicz found that if the malware could be hidden within the package’s commit_hooks directory, it would escape the cleanup and could then be executed as normal.
The result would be a way for an upstream miscreant or network eavesdropper to feed malware directly into the Docker container and have it run without user notification. At that point, the attacker would have their code running on the victim machine, potentially allowing for further attacks on the container or host system.
Submitted by: Arnfried Walbrecht