CVE-2019-14271
published 2019-07-29CVE-2019-14271: In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.83%
96.9th percentile
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | docker.io | < docker.io 18.09.1+dfsg1-9 (bookworm) | docker.io 18.09.1+dfsg1-9 (bookworm) |
| docker | docker | >= 19.03 < 19.03.1 | 19.03.1 |
| github.com | docker_docker | >= 0 < 20.10.0-beta1+incompatible | 20.10.0-beta1+incompatible |
| github.com | docker_docker | >= 19.03.0 < 19.03.1 | 19.03.1 |
| github.com | moby_moby | >= 0 < 20.10.0-beta1+incompatible | 20.10.0-beta1+incompatible |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for docker-tar process loading libnss_*.so libraries from container filesystem paths (i.e., outside of the host's standard library paths) — this is the core exploitation mechanism. ↗
- →The exploit checks for privilege by attempting to open /proc/self/exe — if /proc is empty (as in docker-tar's chrooted context), it proceeds. Monitor for processes that check /proc emptiness as a privilege indicator. ↗
- →Flag unexpected file writes to /evil on the host filesystem as an indicator of successful exploitation from the PoC breakout script. ↗
- →Vulnerable Docker versions are those compiled with Go 1.11 in the 19.03.x line before 19.03.1; check Docker version and Go build version to identify affected hosts. ↗
- ·Exploitation requires the attacker to either run a malicious container image or have already compromised a running container; a standalone Docker host with only trusted images is not directly exploitable. ↗
- ·Red Hat Enterprise Linux 7 and Red Hat Storage 3 shipped Docker versions are NOT affected because they were not compiled with Go 1.11. ↗
- ·The vulnerability is only triggered when a docker cp command is executed against the compromised/malicious container — passive container operation alone does not trigger it. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Moby Docker cp broken with debian containers in github.com/docker/docker
osv·2024-06-28
CVE-2019-14271 Moby Docker cp broken with debian containers in github.com/docker/docker
Moby Docker cp broken with debian containers in github.com/docker/docker
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
GHSA
Moby Docker cp broken with debian containers
ghsa·2022-05-24
CVE-2019-14271 [CRITICAL] CWE-665 Moby Docker cp broken with debian containers
Moby Docker cp broken with debian containers
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
OSV
Moby Docker cp broken with debian containers
osv·2022-05-24
CVE-2019-14271 [CRITICAL] Moby Docker cp broken with debian containers
Moby Docker cp broken with debian containers
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
OSV
CVE-2019-14271: In Docker 19
osv·2019-07-29·CVSS 9.8
CVE-2019-14271 [CRITICAL] CVE-2019-14271: In Docker 19
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
Red Hat
docker: nsswitch based config loaded inside chroot under Glibc
vendor_redhat·2019-07-30·CVSS 9.8
CVE-2019-14271 [CRITICAL] CWE-426 docker: nsswitch based config loaded inside chroot under Glibc
docker: nsswitch based config loaded inside chroot under Glibc
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
A flaw was discovered in Docker if it is compiled with Go 1.11. During a `docker cp` command, the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. An attacker could abuse this flaw by executing code with the root privileges.
Statement: This issue did not affect the versions of docker as shipped with Red Hat Enterprise Linux 7 as they did not use Go 1.11.
Package: docker (Red Hat Enterprise Linux 7) - Not affected
Package: docker (Red Hat Storage 3) -
Debian
CVE-2019-14271: docker.io - In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), c...
vendor_debian·2019·CVSS 9.8
CVE-2019-14271 [CRITICAL] CVE-2019-14271: docker.io - In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), c...
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
Scope: local
bookworm: resolved (fixed in 18.09.1+dfsg1-9)
bullseye: resolved (fixed in 18.09.1+dfsg1-9)
forky: resolved (fixed in 18.09.1+dfsg1-9)
sid: resolved (fixed in 18.09.1+dfsg1-9)
trixie: resolved (fixed in 18.09.1+dfsg1-9)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [fedora-all]
bugzilla·2019-08-30·CVSS 9.8
CVE-2019-14271 [CRITICAL] CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [fedora-all]
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc
bugzilla·2019-08-30·CVSS 9.8
CVE-2019-14271 [CRITICAL] CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
References:
https://docs.docker.com/engine/release-notes/
https://github.com/moby/moby/issues/39449
Discussion:
Created docker tracking bugs for this issue:
Affects: fedora-all [bug 1747223]
Affects: openstack-rdo [bug 1747224]
---
Upstream PR:
https://github.com/moby/moby/pull/39612
Upstream patches:
https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545
---
According to upstream this flaw affects only versions that use Go 1.11 (see https://github.com/moby/moby/pu
Bugzilla
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [openstack-rdo]
bugzilla·2019-08-30·CVSS 9.8
CVE-2019-14271 [CRITICAL] CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [openstack-rdo]
CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
RDO uses docker from
Tenable
CVE-2019-14271: Proof of Concept for Docker Copy (docker cp) Vulnerability Released
blogs_tenable·2019-11-21·CVSS 9.8
[CRITICAL] CVE-2019-14271: Proof of Concept for Docker Copy (docker cp) Vulnerability Released
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
blogs_unit42·2019-11-19·CVSS 9.8
CVE-2019-14271 [CRITICAL] Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
Yuval Avrahami
Published: November 19, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container breakout
Container escape
Containers
CVE-2019-14271
Docker
Exploit
## Executive Summary
In the last few years, several vulnerabilities in the copy ( cp ) command were found in various container platforms, including Docker, Podman and Kubernetes. The most severe among those was only recently discovered and disclosed in July. Surprisingly, it gained almost no immediate attention, perhaps due to an ambiguous CVE description and a lack of a published exploit.
CVE-2019-14271 marks a security issue in the implementa
Unit42
Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
blogs_unit42·2019-11-19·CVSS 9.8
CVE-2019-14271 [CRITICAL] Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
### Executive Summary
In the last few years, several vulnerabilities in the copy (cp) command were found in various container platforms, including Docker, Podman and Kubernetes. The most severe among those was only recently discovered and disclosed in July. Surprisingly, it gained almost no immediate attention, perhaps due to an ambiguous CVE description and a lack of a published exploit.
CVE-2019-14271 marks a security issue in the implementation of the Docker cp command that can lead to full container escape when exploited by an attacker. This is the first complete container breakout since the severe runC vulnerability discovered back in February.
The vulnerability can be exploited, provided that a container has been compromised by a previous attack (e.g. through any other vulnerabili
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlhttps://docs.docker.com/engine/release-notes/https://github.com/moby/moby/issues/39449https://seclists.org/bugtraq/2019/Sep/21https://security.netapp.com/advisory/ntap-20190828-0003/https://www.debian.org/security/2019/dsa-4521http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlhttps://docs.docker.com/engine/release-notes/https://github.com/moby/moby/issues/39449https://seclists.org/bugtraq/2019/Sep/21https://security.netapp.com/advisory/ntap-20190828-0003/https://www.debian.org/security/2019/dsa-4521
2019-07-29
Published