Discovery of this vulnerability underlines the security challenges of software containers.
Aqua Security explains:
Last week, Michael Hanselmann published details of a remote code execution vulnerability (CVE-2018-8115) that impacts Docker for Windows. As he described it: “Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft. Its use of Go's “filepath.Join” function with unsanitized input allowed to create, remove and replace files in the host file system, leading to remote code execution.…”
Michael has disclosed this to Microsoft (who maintain the shim), and they have issued a fix (hcsshim 0.6.10). Docker has also updated its Enterprise (latest patch releases of Docker EE 17.06) and Community editions (Docker CE 18.03.1 and Docker CE 17.05.0-rc1). So if you are running those versions, you’re protected against this CVE, and if not you should update your versions as soon as you can.
Today, Michael published a POC with the details. The essence of the vulnerability is that in the “image pull” process, files from a malicious image can be extracted into any directory on the host file system. This happens as part of the image ‘unpacking’ process, where the code that process tar archive, joins the destination directory with the file path specified in an archive.
