Update "empty" password handling in "no-hard-coded-passwords" to balk at an empty root password explicitly (CVE-2019-5021) #5880
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… at an empty root password explicitly (CVE-2019-5021)
|
As noted in gliderlabs/docker-alpine#511 (comment), Alpine 3.5 (the last version affected by this) was EOL back on 2018-11-01, but I've included it in my test run below to show the new behavior: $ ./test/run.sh alpine:3.5 alpine:3.6 alpine:3.7 alpine:3.8 alpine:3.9 alpine:edge
testing alpine:3.5
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...error: empty password detected for 'root'
failed
'override-cmd' [4/4]...passed
testing alpine:3.6
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
testing alpine:3.7
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
testing alpine:3.8
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
testing alpine:3.9
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
testing alpine:edge
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed |
|
While I agree that this is a worthwhile change, I'd like to note that |
|
Are there any current images that fail this test now? |
|
Skipping Alpine (which I tested above), here's the test run across every other $ ./test/run.sh -t no-hard-coded-passwords $(bashbrew list --uniq --apply-constraints alt amazonlinux busybox centos cirros clearlinux crux debian euleros fedora hello-world mageia nats nats-streaming opensuse oraclelinux photon sl sourcemage swarm traefik ubuntu)
skipping "hello-world:nanoserver-1803" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "hello-world:nanoserver-1809" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "nats:1.4.1-nanoserver" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "nats:1.4.1-windowsservercore" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "nats-streaming:0.14.1-nanoserver" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "nats-streaming:0.14.1-windowsservercore" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "traefik:v2.0.0-alpha4-nanoserver" (due to architecture "amd64"; only "windows-amd64" supported)
skipping "traefik:v1.7.11-nanoserver" (due to architecture "amd64"; only "windows-amd64" supported)
testing alt:p8
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'iputils': 'x'
warning: garbage password detected for 'root': 'x'
passed
testing alt:sisyphus
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'iputils': 'x'
warning: garbage password detected for 'root': 'x'
passed
testing amazonlinux:2.0.20190228
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': '*LOCK*'
passed
testing amazonlinux:2.0.20190228-with-sources
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': '*LOCK*'
passed
testing amazonlinux:2018.03.0.20190212
'no-hard-coded-passwords' [1/1]...passed
testing amazonlinux:2018.03.0.20190212-with-sources
'no-hard-coded-passwords' [1/1]...passed
testing busybox:1.30.1-uclibc
'no-hard-coded-passwords' [1/1]...error: empty password detected for 'root'
failed
testing busybox:1.30.1-glibc
'no-hard-coded-passwords' [1/1]...error: empty password detected for 'root'
failed
testing busybox:1.30.1-musl
'no-hard-coded-passwords' [1/1]...error: empty password detected for 'root'
failed
testing busybox:1.30.1
'no-hard-coded-passwords' [1/1]...error: empty password detected for 'root'
failed
testing centos:latest
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing centos:centos6
'no-hard-coded-passwords' [1/1]...passed
testing centos:centos7.6.1810
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing centos:centos7.5.1804
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing centos:centos7.4.1708
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing centos:centos7.3.1611
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing centos:centos7.2.1511
'no-hard-coded-passwords' [1/1]...passed
testing centos:centos7.1.1503
'no-hard-coded-passwords' [1/1]...error: crypt password detected for 'root': '$1$UKLtvLuY$kka6S665oCFmU7ivSDZzU.'
failed
testing centos:centos7.0.1406
'no-hard-coded-passwords' [1/1]...error: crypt password detected for 'root': '$1$UKLtvLuY$kka6S665oCFmU7ivSDZzU.'
failed
testing centos:centos6.10
'no-hard-coded-passwords' [1/1]...passed
testing centos:centos6.9
'no-hard-coded-passwords' [1/1]...passed
testing centos:centos6.8
'no-hard-coded-passwords' [1/1]...passed
testing centos:centos6.7
'no-hard-coded-passwords' [1/1]...error: crypt password detected for 'root': '$6$QhN6G8YM$LDd5zhqarhgMy6/e1c6wYwbusi4RZBz3lfRNQ1p5VquqtHzIj.Tf9r7cqoaSLgI3FiCPzfePyTBG7omBKv9bF0'
failed
testing centos:centos6.6
'no-hard-coded-passwords' [1/1]...passed
testing cirros:0.4.0
'no-hard-coded-passwords' [1/1]...error: crypt password detected for 'cirros': '$1$ecgqyiea$GZzgQPRzx7sFFoZ7p8ewU.'
warning: garbage password detected for 'dbus': 'x'
warning: garbage password detected for 'www-data': 'x'
warning: garbage password detected for 'backup': 'x'
warning: garbage password detected for 'proxy': 'x'
warning: garbage password detected for 'sys': 'x'
warning: garbage password detected for 'mail': 'x'
warning: garbage password detected for 'haldaemon': 'x'
warning: garbage password detected for 'sshd': 'x'
failed
testing clearlinux:latest
image has no tests...skipping
testing crux:3.4
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'www': 'x'
warning: garbage password detected for 'mail': 'x'
warning: garbage password detected for 'ftp': 'x'
error: empty password detected for 'root'
failed
testing crux:3.2
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'www': 'x'
warning: garbage password detected for 'mail': 'x'
warning: garbage password detected for 'ftp': 'x'
error: empty password detected for 'root'
failed
testing debian:buster
'no-hard-coded-passwords' [1/1]...passed
testing debian:buster-backports
'no-hard-coded-passwords' [1/1]...passed
testing debian:buster-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:experimental
'no-hard-coded-passwords' [1/1]...passed
testing debian:jessie
'no-hard-coded-passwords' [1/1]...passed
testing debian:jessie-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:oldstable
'no-hard-coded-passwords' [1/1]...passed
testing debian:oldstable-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:rc-buggy
'no-hard-coded-passwords' [1/1]...passed
testing debian:sid
'no-hard-coded-passwords' [1/1]...passed
testing debian:sid-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:stable
'no-hard-coded-passwords' [1/1]...passed
testing debian:stable-backports
'no-hard-coded-passwords' [1/1]...passed
testing debian:stable-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:stretch
'no-hard-coded-passwords' [1/1]...passed
testing debian:stretch-backports
'no-hard-coded-passwords' [1/1]...passed
testing debian:stretch-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:testing
'no-hard-coded-passwords' [1/1]...passed
testing debian:testing-slim
'no-hard-coded-passwords' [1/1]...passed
testing debian:unstable
'no-hard-coded-passwords' [1/1]...passed
testing debian:unstable-slim
'no-hard-coded-passwords' [1/1]...passed
testing euleros:2.3.1809
'no-hard-coded-passwords' [1/1]...passed
testing euleros:2.3.1806
'no-hard-coded-passwords' [1/1]...passed
testing euleros:2.3.1803
'no-hard-coded-passwords' [1/1]...passed
testing euleros:2.2
'no-hard-coded-passwords' [1/1]...passed
testing fedora:27
'no-hard-coded-passwords' [1/1]...passed
testing fedora:26
'no-hard-coded-passwords' [1/1]...passed
testing fedora:30
'no-hard-coded-passwords' [1/1]...passed
testing fedora:28
'no-hard-coded-passwords' [1/1]...passed
testing fedora:latest
'no-hard-coded-passwords' [1/1]...passed
testing fedora:rawhide
'no-hard-coded-passwords' [1/1]...passed
testing hello-world:linux
image has no tests...skipping
testing mageia:6
'no-hard-coded-passwords' [1/1]...passed
testing nats:1.4.1-linux
image has no tests...skipping
testing nats-streaming:0.14.1-linux
image has no tests...skipping
testing opensuse:42.3
'no-hard-coded-passwords' [1/1]...error: empty password detected for 'root'
failed
testing oraclelinux:7.6
'no-hard-coded-passwords' [1/1]...passed
testing oraclelinux:7-slim
'no-hard-coded-passwords' [1/1]...passed
testing oraclelinux:6.10
'no-hard-coded-passwords' [1/1]...passed
testing oraclelinux:6-slim
'no-hard-coded-passwords' [1/1]...passed
testing photon:3.0
'no-hard-coded-passwords' [1/1]...cut: /etc/shadow: No such file or directory
warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'systemd-network': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'systemd-journal-gateway': 'x'
warning: garbage password detected for 'systemd-journal-remote': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'systemd-bus-proxy': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'systemd-journal-upload': 'x'
warning: garbage password detected for 'systemd-timesync': 'x'
warning: garbage password detected for 'systemd-resolve': 'x'
error: empty password detected for 'root'
failed
testing photon:dev
'no-hard-coded-passwords' [1/1]...cut: /etc/shadow: No such file or directory
warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'systemd-network': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'systemd-journal-gateway': 'x'
warning: garbage password detected for 'systemd-journal-remote': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'systemd-bus-proxy': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'systemd-journal-upload': 'x'
warning: garbage password detected for 'systemd-timesync': 'x'
warning: garbage password detected for 'systemd-resolve': 'x'
error: empty password detected for 'root'
failed
testing photon:1.0
'no-hard-coded-passwords' [1/1]...cut: /etc/shadow: No such file or directory
warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'systemd-network': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'systemd-journal-gateway': 'x'
warning: garbage password detected for 'systemd-journal-remote': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'systemd-bus-proxy': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'systemd-journal-upload': 'x'
warning: garbage password detected for 'systemd-timesync': 'x'
warning: garbage password detected for 'systemd-resolve': 'x'
error: empty password detected for 'root'
failed
testing photon:2.0
'no-hard-coded-passwords' [1/1]...cut: /etc/shadow: No such file or directory
warning: garbage password detected for 'nobody': 'x'
warning: garbage password detected for 'systemd-network': 'x'
warning: garbage password detected for 'bin': 'x'
warning: garbage password detected for 'systemd-journal-gateway': 'x'
warning: garbage password detected for 'systemd-journal-remote': 'x'
warning: garbage password detected for 'daemon': 'x'
warning: garbage password detected for 'systemd-bus-proxy': 'x'
warning: garbage password detected for 'messagebus': 'x'
warning: garbage password detected for 'systemd-journal-upload': 'x'
warning: garbage password detected for 'systemd-timesync': 'x'
warning: garbage password detected for 'systemd-resolve': 'x'
error: empty password detected for 'root'
failed
testing sl:7
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing sl:6
'no-hard-coded-passwords' [1/1]...warning: garbage password detected for 'root': 'locked'
passed
testing sourcemage:latest
'no-hard-coded-passwords' [1/1]...passed
testing swarm:1.2.9
image has no tests...skipping
testing traefik:v2.0.0-alpha4
image has no tests...skipping
testing traefik:v2.0.0-alpha4-alpine
image has no tests...skipping
testing traefik:v1.7.11
image has no tests...skipping
testing traefik:v1.7.11-alpine
image has no tests...skipping
testing ubuntu:18.04
'no-hard-coded-passwords' [1/1]...passed
testing ubuntu:18.10
'no-hard-coded-passwords' [1/1]...passed
testing ubuntu:19.04
'no-hard-coded-passwords' [1/1]...passed
testing ubuntu:14.04
'no-hard-coded-passwords' [1/1]...passed
testing ubuntu:16.04
'no-hard-coded-passwords' [1/1]...passed |
|
So the list that are affected by this includes:
|
|
Anyone feel like sending a patch to the Buildroot mailing list? 😅 (I'll be patching that in Edit: FWIW, I dug into the commits and found that this passwordless |
This was referenced May 8, 2019
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021, https://manpages.debian.org/stretch/passwd/passwd.5.en.html, https://manpages.debian.org/stretch/passwd/shadow.5.en.html.