[CVE-2014-5278] Container names may collide with and override container IDs

[Eric Windisch]

Disclosed yesterday on the user’s list.

Begin forwarded message:

From: Eric Windisch <ewin...@docker.com>

Subject: [CVE-2014-5278] Container names may collide with and override container IDs

Date: August 26, 2014 at 4:54:47 PM EDT

To: docker-user <docke...@googlegroups.com>

In an effort to begin assigning CVE-IDs to vulnerabilities, we are announcing the following issue for Docker 1.1, fixed in Docker 1.2. I apologize for the late-timing of this, given that 1.2 was released days ago.

==============================================================

[CVE-2014-5278] Container names may collide with and override container IDs

==============================================================

Severity: Low

----------------------------------------------------------------------------------------------------------------------------

Summary:

----------------------------------------------------------------------------------------------------------------------------

In Docker 1.1, a potential threat vector was discovered, which was not directly exploitable via the Docker utilities. However, some 3rd-party orchestration and management tools may be affected, if they allow users to specify arbitrary names for their containers. Most users of Docker are likely to be unaffected.

Under certain circumstances, an attacker could create a new container on a host which would intercept command and control for another container’s ID.  Generally, this circumstance would necessitate the attacker already have access to the Docker Remote API or CLI; However, such command and control could be provided to users via 3rd-party management and orchestration tools.

----------------------------------------------------------------------------------------------------------------------------

Details:

----------------------------------------------------------------------------------------------------------------------------

The Docker engine treats container names and IDs equally via its API. Requests look like '/containers/{name:.*}/kill', where the name argument may be either an ID or container name. It has been discovered that in all versions of Docker, user-supplied names were consulted prior to checking for an existing container ID.

----------------------------------------------------------------------------------------------------------------------------

Impact:

----------------------------------------------------------------------------------------------------------------------------

This affects all versions of Docker up to, but excluding version 1.2.

----------------------------------------------------------------------------------------------------------------------------

Discovered, and patch provided, by Eric Windisch of Docker, Inc.

Docker contributors have been hard at working making Docker better and better with each release, including important security improvements such as the addition of granular Linux capabilities management with the release of Docker 1.2. Likewise, since establishing a security and responsible disclosure policy, we have seen a substantial interest by researchers in contributing to the improvement of Docker.

If you discover any issues in Docker or the Hub, we encourage you to do the same by contacting secu...@docker.com.