Trending CVEs for the Week of June 3rd, 2019

CVE-2018-15664 – Docker Vulnerability

The BlueKeep vulnerability is still trending on social media and we extensively covered CVE-2019-0708 in May 27th and May 20th blog posts. This week, we will talk about CVE-2018-15664 which is runner-up in the list. Docker is vulnerable to a symlink-race attack.

Description

The API endpoints behind the ‘docker cp’ command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

Affected Products

Affected Packages are:

  • Red Hat OpenShift Container Platform 3.7
  • Red Hat OpenShift Container Platform 3.6
  • Red Hat Enterprise Linux 7

And, following products are still under investigation:

  • Red Hat OpenShift Container Platform 3.5
  • Red Hat OpenShift Container Platform 3.4
  • Red Hat JBoss Fuse 7

Exploitation and Risk

An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.

Fixes

Stopping a container prior to running “docker cp” removes the TOCTOU vulnerability.

References

National Vulnerability Database
Redhat