Using Docker and Windows Server Containers? There's a patch for that
Remote code execution vuln found lurking in Microsoft's open-sourced shim
Microsoft has emitted a patch to fix a critical vulnerability in a wrapper used to launch Windows Server Containers from Go.
The issue (CVE-2018-8115) is a nasty one, allowing remote code execution when importing a container image due to a failure of the library to validate what was on the way in.
Exploiting the issue could be a challenge, as Microsoft stated:
"An attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilising the Host Compute Service Shim library to execute malicious code on the Windows host."
No administrator would ever import an image without knowing its providence, right?
The wrapper itself, the Windows Host Compute Service Shim library, appeared back in January 2017 with Microsoft's launch of the Host Compute Service (HCS), a management API for Windows Server Containers and the likes of Docker.
Along with HCS, the new caring, sharing Microsoft also unleashed two open-source wrappers on GitHub to save devs having to worry about dealing directly with the C API. It is the one written in Go for Docker (hcsshim) where the issue lies.
The vulnerability was found in February 2018 by Michael Hanselmann, who said: "I reported the issue to Microsoft's security response center and Docker in February 2018 using responsible disclosure. Both were involved in resolving the issue."
Hanselmann has promised a proof-of-concept of the exploit by 9 May, so testing and applying the patch before then would seem prudent.
The US Computer Emergency Readiness Team issued an advisory yesterday suggesting that administrators got on with this sooner rather than later. ®