Docker contains an unpatched race condition vulnerability

• All versions of Docker are vulnerable to this flaw, which can allow attackers to modify files on the host system.
• The vulnerability exists in a function related to securing processes associated with Docker container.

A major security vulnerability has been found in Docker containers. Apparently, a function called FollowSymlinkInScope in Docker is prone to a race condition that can be exploited by attackers to modify resource paths.

The flaw was discovered by security researcher Aleksa Sarai, who says that the function can be used to carry out a Time-of-check to time-of-use (TOCTOU) attack. As of now, the vulnerability still remains unpatched and Docker is yet to respond with a fix. All current versions contain this flaw.

The key highlights

• FollowSymlinkInScope function was found incorrectly resolving resource paths in Docker container.
• According to Sarai, an attacker adding a symbolic link after the faulty resolution can read and write access to the resource path, leading to a race condition.
• Sarai also mentions that there are no workarounds except if the Docker is restricted through AppArmor. However, he has submitted a patch to Docker Inc, which is still under review.

Exploit scripts

Sarai also describes two exploit scripts for this vulnerability, which can allow modification of resource paths. “Attacked are two reproducers of the issue. They both include a Docker image which contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/" and an empty directory in a loop, hoping to hit the race condition. In both of the scripts, the user is trying to copy a file to or from a path containing the swapped symlink,” Sarai wrote in an email on the oss-sec mailing list.

Docker Inc is expected to release a patch for this flaw anytime soon.