Vulnerability disclosure - Docker Hub Standalone
201 views
Skip to first unread message
James Turnbull
Jun 30, 2014, 12:46:22 PM6/30/14
to docker-user, docker-...@googlegroups.com, docker-dev
The Registry that stores images and runs underneath the Docker Hub
supports a standalone mode that is used for a private hosted Registry.
It configures the Registry to never contact the Hub to validate a token.
A change in the code caused the Registry to believe it was in standalone
mode. The Registry worked as usual but allowed anyone to push an image
by hitting the Registry endpoint directly. This endpoint is not
advertised in the protocol documentation but can be discovered by
looking at the Docker debug logs while pushing an image.
==Impact
An attacker could push a new version of an image without authorization.
==Vulnerable platforms and distributions
The Docker registry between May 29th 2014 and June 13th 2014.
==How to reproduce
1. Tag to the Registry endpoint.
$ docker tag ubuntu:latest registry-1.docker.io/foobar
2. Push the image to the endpoint.
$ docker push registry-1.docker.io/foobar
The push refers to a repository [registry-1.docker.io/foobar] (len: 1)
Sending image list
Pushing repository registry-1.docker.io/foobar (1 tags)
Image 511136ea3c5a already pushed, skipping
Image e465fff03bce already pushed, skipping
Image 23f361102fae already pushed, skipping
Image 9db365ecbcbb already pushed, skipping
Image ad892dd21d60 already pushed, skipping
Pushing tag for rev [ad892dd21d60] on
{https://registry-1.docker.io/v1/repositories/foobar/tags/latest}
3. Validate the image was uploaded unauthenticated.
$ curl https://registry-1.docker.io/v1/repositories/foobar/tags/latest
"ad892dd21d607a1458a722598a2e4d93015c4507abcd0ebfc16a43d4d1b41520”
==Exploitation
This hasn't been exploited in the wild. To validate this we have
conducted an audit of all registry logs since the vulnerability was
introduced, and have found no evidence of exploitation.
==Resolution and mitigation
* Issue was reported to the Docker team on June 13th. A hotfix was
pushed to production shortly afterward to remediate the issue. As of
June 13th the Docker Hub is no longer vulnerable to this issue.
* If you run your own private registry you should immediately upgrade to
version 0.7.2 of the Docker Registry -
https://github.com/dotcloud/docker-registry/releases/tag/0.7.2.
* The Docker Hub team reviewed every push request during the time period
to identify any unauthenticated pushes. None existed (other than pushes
used to validate the vulnerability).
* We’re going to Improve unit and integration testing on the related
components including the relevant API endpoint.
* We’ve hired a security firm to run a complete audit of our code and
Infrastructure.
==Acknowledgements
Thanks to Lucas Clemente for reporting the issue to us.
Please direct any questions to secu...@docker.com and you can find our
security policy and responsible disclosure policy here:
http://www.docker.com/resources/security/.
Kind Regards
James Turnbull
--
Services & Support @ Docker
Book a meeting with me: http://meetme.so/jamtur01
supports a standalone mode that is used for a private hosted Registry.
It configures the Registry to never contact the Hub to validate a token.
A change in the code caused the Registry to believe it was in standalone
mode. The Registry worked as usual but allowed anyone to push an image
by hitting the Registry endpoint directly. This endpoint is not
advertised in the protocol documentation but can be discovered by
looking at the Docker debug logs while pushing an image.
==Impact
An attacker could push a new version of an image without authorization.
==Vulnerable platforms and distributions
The Docker registry between May 29th 2014 and June 13th 2014.
==How to reproduce
1. Tag to the Registry endpoint.
$ docker tag ubuntu:latest registry-1.docker.io/foobar
2. Push the image to the endpoint.
$ docker push registry-1.docker.io/foobar
The push refers to a repository [registry-1.docker.io/foobar] (len: 1)
Sending image list
Pushing repository registry-1.docker.io/foobar (1 tags)
Image 511136ea3c5a already pushed, skipping
Image e465fff03bce already pushed, skipping
Image 23f361102fae already pushed, skipping
Image 9db365ecbcbb already pushed, skipping
Image ad892dd21d60 already pushed, skipping
Pushing tag for rev [ad892dd21d60] on
{https://registry-1.docker.io/v1/repositories/foobar/tags/latest}
3. Validate the image was uploaded unauthenticated.
$ curl https://registry-1.docker.io/v1/repositories/foobar/tags/latest
"ad892dd21d607a1458a722598a2e4d93015c4507abcd0ebfc16a43d4d1b41520”
==Exploitation
This hasn't been exploited in the wild. To validate this we have
conducted an audit of all registry logs since the vulnerability was
introduced, and have found no evidence of exploitation.
==Resolution and mitigation
* Issue was reported to the Docker team on June 13th. A hotfix was
pushed to production shortly afterward to remediate the issue. As of
June 13th the Docker Hub is no longer vulnerable to this issue.
* If you run your own private registry you should immediately upgrade to
version 0.7.2 of the Docker Registry -
https://github.com/dotcloud/docker-registry/releases/tag/0.7.2.
* The Docker Hub team reviewed every push request during the time period
to identify any unauthenticated pushes. None existed (other than pushes
used to validate the vulnerability).
* We’re going to Improve unit and integration testing on the related
components including the relevant API endpoint.
* We’ve hired a security firm to run a complete audit of our code and
Infrastructure.
==Acknowledgements
Thanks to Lucas Clemente for reporting the issue to us.
Please direct any questions to secu...@docker.com and you can find our
security policy and responsible disclosure policy here:
http://www.docker.com/resources/security/.
Kind Regards
James Turnbull
--
Services & Support @ Docker
Book a meeting with me: http://meetme.so/jamtur01
Reply all
Reply to author
Forward
0 new messages