Alpine Linux is an independent, non-commercial, general purpose Linux distribution that is heavily used in containers, including Docker.
Alpine Linux is based on musl libc and busybox, it is a tiny distro and is optimized to manage resources, it is known also for fast boot times.
The experts discovered several vulnerabilities in the APK, the default package manager in Alpine. The most severe bug discovered by Max Justicz could be exploited by an attacker to carry out a man-in-the-middle attack to execute arbitrary code on the user’s machine.
“I found several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker.” states the analysis published by the researcher.
“The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories.”
An attacker could trigger the flaw to target a Docker container based on Alpine and execute arbitrary code, Justicz also published a video PoC of the attack.
The package manager extracts packages, in the form of gzipped tar archives distributed as apks, then check their hashes against the ones in the signed manifest.
If the hashes are different, the package manager attempts to unlink all of the extracted files and directories.
The expert highlighted that the APK’s commit hooks feature could allow an attacker to turn persistent arbitrary file writes into code execution. Justicz discovered that it is possible to hide a malware within the package’s commit_hooks directory that would escape the cleanup and could then be executed as normal.
The expert explained that if an attacker is able to extract a file into /etc/apk/commit_hooks.d/ and have it stay there after the cleanup process, it will be executed before apk exits.
The attacker has to control the downloaded tar file avoiding that the package manager will unlink the payload and its directory during the cleanup process.
The expert explained that the attacker can run MitM to intercept apk’s package requests during Docker image building, then inject them with malicious code before they are passed to the target machines that would unpack and run the malicious code within their Docker container.
The latest Alpine version has addressed the issue, developers are recommended to rebuild their Docker images with the updated Alpine build.
(Security Affairs – Alpine, hacking)