Dockerfile Misconfiguration: Dependency Confusion

Docker

Abstract

使用非特定版本擷取組建相依項，會使組建系統易受惡意二進位程式的侵害或造成系統產生意外的運作方式。

Explanation

Dockerfile 可以為相依項和基本映像指定一個沒有界線的版本範圍。如果攻擊者能將惡意版本的相依項新增至儲存庫，或欺騙組建系統從攻擊者控制的儲存庫下載相依項，那麼如果 docker 設定為沒有特定版本的相依項時，則 docker 將以無訊息方式下載並執行遭入侵的相依項。

這種類型的弱點可能因為供應鏈攻擊而被利用，在供應鏈攻擊中，攻擊者可運用開發人員的錯誤組態，接著誤植域名，然後可將惡意套件新增至開放原始碼儲存庫。這種類型的攻擊利用對已發佈套件的信任來獲取存取權限並竊取資料。

在 docker 中，latest 標籤會自動指示未使用摘要或唯一標籤為其提供版本的映像的版本層級。Docker 會自動指派 latest 標籤做為指向最新映像資訊清單檔案的機制。由於標籤是可變的，所以攻擊者可使用 latest (或弱標籤，如imagename-lst, imagename-last, myimage) 取代映像或階層。

範例 1：以下組態指示 Docker 挑選使用最新 ubuntu 版本的基本映像。


    FROM ubuntu:Latest
    ...

Docker 不會驗證設定為支援套件管理器的儲存庫是否值得信賴。

範例 2：以下組態指示套件管理器 zypper 擷取指定套件的最新版本。


...
zypper install package
...

在 Example 2 中，如果儲存庫遭到入侵，攻擊者可能很容易便上傳符合動態標準的版本，使 zypper 下載相依項的惡意版本。

References

[1] Best practices for writing Dockerfile

[2] Standards Mapping - Common Weakness Enumeration CWE ID 20

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.configuration.docker.dockerfile_misconfiguration_dependency_confusion