CVE-2018-15664 - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to

CVE-2018-15664

Summary

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

References

Vulnerable Configurations

cpe:2.3:a:docker:docker:17.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc5:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc5:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce-:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce-:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc2:*:*:community:*:*:*

CVSS

Base:	6.2 (as of 25-06-2019 - 12:15)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
LOCAL	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:H/Au:N/C:C/I:C/A:C

redhat via4

advisories

rhsa

id	RHSA-2019:1910

rpms

docker-2:1.13.1-102.git7f2769b.el7
docker-client-2:1.13.1-102.git7f2769b.el7
docker-common-2:1.13.1-102.git7f2769b.el7
docker-debuginfo-2:1.13.1-102.git7f2769b.el7
docker-logrotate-2:1.13.1-102.git7f2769b.el7
docker-lvm-plugin-2:1.13.1-102.git7f2769b.el7
docker-novolume-plugin-2:1.13.1-102.git7f2769b.el7
docker-rhel-push-plugin-2:1.13.1-102.git7f2769b.el7
docker-v1.10-migrator-2:1.13.1-102.git7f2769b.el7

refmap via4

bid	108507
confirm	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664
misc	https://bugzilla.suse.com/show_bug.cgi?id=1096726 https://github.com/moby/moby/pull/39252
mlist	[oss-security] 20190528 CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack [oss-security] 20190821 RE: CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack
suse	openSUSE-SU-2019:1621 openSUSE-SU-2019:2044
ubuntu	USN-4048-1

Last major update

25-06-2019 - 12:15

Published

23-05-2019 - 14:29

Last modified

25-06-2019 - 12:15