Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked
For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images. Affected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to Cisco Talos researchers who discovered the bug,tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers were available via the official Docker Hub portal since late 2015.
The “empty password in configuration file” bug (CVE-2019-5021) has a critical CVSS rating of 9.8. The vulnerability dates back to 2015 when it was originally identified and patched. However, weeks after a fix was deployed, further “regression” tests associated with the bug were conducted.
Unfortunately, those tests inadvertently “removed this ‘disable root by default’ flag from the ‘edge’ build properties file, reintroducing this issue to subsequent builds,” Cisco Talos researchers wrote.