Shulou(Shulou.com)06/02 Report--

An information security agency has disclosed that there is a remote code execution flaw in Alpine Linux, and this release is now widely used in many Docker containers.

Max Justica, founder and researcher of crowdsourced Bug reward system Bountygraph, said last Thursday that the vulnerability could be exploited by malicious attackers to access or manipulate malware package images through a man-in-the-middle (MITM) network to achieve arbitrary code injection via apk, Alpine's default package manager.

Justicz points out that this vulnerability is particularly dangerous. First of all, because of its small size, Alpine is widely used in all kinds of Docker images. Second, most software packages apk do not provide services over secure TLS connections, so they are extremely vulnerable to tampering.

In the worst case, an attacker can intercept apk's packaging request during the construction of a Docker image, inject malicious code into it, and then pass it on to the target computer. These computers extract the package and run the code in the Docker container.

"in the default configuration of Alpine, if we can run a traffic MITM attack on a machine running the 'apk' command, we can cause the machine to execute arbitrary code," Justicz said in an interview. "even after the malicious code starts running, I can still successfully execute the Docker build command."

"once an attacker executes his code on an image that has been built, it can take full control of the target computer after the image starts running later."

This security vulnerability stems from the way apk unzips archive files and handles suspicious code. Justicz found that if malware can be hidden in the package's commit_hooks directory, it can evade cleanup and then execute normally.

This result means that upstream malicious attackers or network eavesdroppers can directly introduce malware into the Docker container and run it without the user's permission. At this point, the attacker will run the code on the victim computer, meaning that it will be able to carry out further attacks against the target container or host system.

Apk has been repaired and updated in the latest version of Alpine, so we recommend that developers use the updated version of Alpine to reconstruct their Docker images.

Original link: https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.