Is the panic around the latest Docker vulnerability justified?
In cybersecurity, it’s often a fine line between being made aware of a potential vulnerability and outright hysteria. In the case of a CVE-2018-15664 vulnerability disclosed this week, which describes a “time of check to time of use” (TOCTOU) bug in Docker containers that could be employed to enable malicious code inside a container to gain arbitrary read/write file access on the host with root privileges, that line is very close to being crossed.
CVE-2018-15664 describes how a cybercriminal could modify the symbolic links inside a Docker container using a “Docker copy” command to override files in a Linux host. That, obviously, is a good thing to know. However, this scenario can only come about if the container was already compromised and a user was using “docker cp” to replicate the container files at the same time the copy was being made. That translates into a window of opportunity that is measured in a few milliseconds. The level of skill required on the part of a cybercriminal to exploit that vulnerability would be very high indeed.
Nevertheless, vulnerabilities should be mitigated whenever possible. Docker Inc. this week suggested the best way to address the issue is to manually run “docker pause” before using “docker cp” to copy files and “docker unpause” after the copy has been made. Furthermore, the company said the issue would be remediated in the next monthly release by inserting a “docker pause” automatically, which freezes the container when a copy is being made and prevents the container from modifying the data.
Kelly Shortridge, vice president of product strategy for Capsule8, a provider of cybersecurity software for Linux environments, says CVE-2018-15664 highlights the fact that IT organizations should pay attention to how certain utilities are being employed to make sure vulnerabilities are not being exposed.
However, she says that while the potential damage caused by CVE-2018-15664 vulnerability is high, these and other Docker and Kubernetes vulnerabilities recently disclosed are nowhere near serious enough to dissuade any organization from employing containers. Rather, Shortridge says these vulnerabilities should be viewed as natural cybersecurity growing pains that organizations should expect to encounter when relying on any emerging technology. In fact, by way of comparison, much more serious vulnerabilities are still being discovered on older legacy platforms, she adds.
One of the best things about containers is that it’s a lot easier to rip and replace containers that might have been infected with malicious code than it is to try and patch an entire monolithic application, notes Shortridge. One of the primary reasons so many IT environments routinely are impacted by known vulnerabilities is because either someone didn’t have the time to implement a patch or determined the patch provided for a specific platform would break their application. Organizations that have embraced DevOps processes routinely tear applications and infrastructure up and down, which Shortridge notes often provide the added benefit of eliminating any malicious code that may have found its way into the environment.
In the meantime, IT organizations should continue to monitor container vulnerability disclosures in the full knowledge that every reaction to those vulnerabilities just might have an accompanying agenda.