Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the
root user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the
Alpine Docker 3.3 Alpine Docker 3.4 Alpine Docker 3.5 Alpine Docker 3.6 Alpine Docker 3.7 Alpine Docker 3.8 Alpine Docker 3.9 Alpine Docker Edge
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-258 - Empty Password in Configuration File
In builds of the Alpine Docker Image (>=3.3) the
/etc/shadow file contains a blank field in place of the encrypted password (
sp_pwdp in the context of the
spwd struct returned by
$ for i in
seq 1 9; do echo -n "
date - Alpine Docker 3.$i - "; docker run -it alpine:3.$i head -n 1 /etc/shadow ; done
Thu 7 Feb 2019 16:15:43 GMT - Alpine Docker 3.1 - root:!::0::::: Thu 7 Feb 2019 16:15:44 GMT - Alpine Docker 3.2 - root:!::0::::: Thu 7 Feb 2019 16:15:46 GMT - Alpine Docker 3.3 - root:::0::::: Thu 7 Feb 2019 16:15:48 GMT - Alpine Docker 3.4 - root:::0::::: Thu 7 Feb 2019 16:15:49 GMT - Alpine Docker 3.5 - root:::0::::: Thu 7 Feb 2019 16:15:51 GMT - Alpine Docker 3.6 - root:::0::::: Thu 7 Feb 2019 16:15:53 GMT - Alpine Docker 3.7 - root:::0::::: Thu 7 Feb 2019 16:15:54 GMT - Alpine Docker 3.8 - root:::0::::: Thu 7 Feb 2019 16:15:56 GMT - Alpine Docker 3.9 - root:::0:::::
The net result of a blank
sp_pwdp field is that the system will treat the
root user as having no password, rather than a 'locked' account if a
* is explicitly specified.
After discussions with Alpine Linux, it was discovered that this issue was also reported in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.
root account should be explicitly disabled in Docker images built using affected versions as a base. The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database.
2019-02-19 - Vendor Disclosure
2019-02-21 - Vendor Acknowledged
2019-03-01 - It was discovered that this issue was also reported and made public in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.
2019-05-08 - Public Release
Discovered by Peter Adkins of Cisco Umbrella.