Docker Vulnerable to Symlink-Race Attack (CVE-2018-15664)

On May 28, researcher Aleksa Sarai publicly disclosed a vulnerability that affects all versions of Docker. CVE-2018-15664 is a Time Of Check to Time Of Use (TOCTOU) vulnerability in the FollowSymlinkInScope function in the symbolic link (symlink) package, which is used to safely resolve a given path as if the process was inside the container. An attacker would be able to successfully exploit this vulnerability if they are able to add a symlink to a given path after it has been resolved, but before it has been operated on. Sarai adds that in “the case of ‘docker cp’ this gives you read *and* write access to any path on the host.”

Sarai has provided two exploit scripts, run_read.sh and run_write.sh to demonstrate the attack by “trying to copy a file to or from a path containing the swapped symlink.” In the case of run_read.sh, Sarai says that there’s less than 1% chance “of hitting the race condition” but that means it would “only takes 10s of trying to get read access to the host with root permissions.” Whereas run_write.sh is designed to “overwrite the host filesystem in very few iterations” by abusing the Docker concept known as chrootarchive.

The vulnerability has not been fixed. However, Sarai has submitted an upstream patch to address it. This patch has not yet been approved at the time this post was published, as it is currently undergoing code review.

While the vulnerability is a concern, its impact is mitigated. This is due to the difficulty in reproducing it because of the race condition as well an attacker needing access to the Docker host to run the ‘docker cp’ command or convincing a user to download and run a malicious container.

For more information, please review the vulnerability disclosure.