19% of the most popular Docker containers have no root password
Written by James Orme Tue 21 May 2019

Containers from the UK government, HashiCorp, Microsoft, Monsanto and Mesosphere are potentially affected
19.4 percent of the Docker store’s top 1000 containers have no root password, potentially exposing users’ systems to attacks under certain conditions.
Last week, a similar flaw was found impacting the official Alpine Linux Docker image, when Talos researchers discovered that all images since v3.3 were shipping with a root account with a null password. The vulnerability meant attackers who infiltrated systems via another entry point, or users with shell (remote) access, could elevate their privileges to root within the container.
Over the weekend, security expert Jerry Gamblin built a script that checked the top 1000 docker containers from the Docker store to determine if they were impacted by the same misconfiguration.
After tweaking the script to correct for duplicates, Gamblin found that 194 of the 1000 containers he analysed had blank passwords, including images from the UK government, HashiCorp, Microsoft, Monsanto and Mesosphere.
If you are using these containers, don’t be alarmed. As was the case with the Alpine vulnerability, only Linux systems that leverage Linux PAM [Pluggable Authentication Modules] or the system shadow file for authentication are vulnerable.
Gamblin said developers should avoid deploying containers that allow users to authenticate as root at all costs, and hoped his findings would raise awareness about best practices for deploying containers securely.
“Authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” he said.
Gamblin has published a list of all the affected containers on GitHub. Users are advised to check their Linux configurations to ascertain if they are vulnerable.
Containers enable the easy integration of microservices – a modular approach to application development that improves speed and agility – and have therefore become extremely popular with developers working within agile organisations. Revenues from the application container market are predicted to surpass $3.4 billion (£2.7 billion) by 2021.
Written by James Orme Tue 21 May 2019