cbcvebase.
CVE-2019-14271
published 2019-07-29

CVE-2019-14271: In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.83%
96.9th percentile
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandocker.io< docker.io 18.09.1+dfsg1-9 (bookworm)docker.io 18.09.1+dfsg1-9 (bookworm)
dockerdocker>= 19.03 < 19.03.119.03.1
github.comdocker_docker>= 0 < 20.10.0-beta1+incompatible20.10.0-beta1+incompatible
github.comdocker_docker>= 19.03.0 < 19.03.119.03.1
github.commoby_moby>= 0 < 20.10.0-beta1+incompatible20.10.0-beta1+incompatible
opensuseleap
opensuseleap

Detection & IOCsextracted from sources · hover to see the quote

filenamelibnss_files.so
path/lib/x86_64-linux-gnu/libnss_files.so.2
path/original_libnss_files.so.2
path/breakout
path/host_fs
processdocker-tar
commandmount -t proc none /proc
commandmount --bind . /host_fs
  • Monitor for docker-tar process loading libnss_*.so libraries from container filesystem paths (i.e., outside of the host's standard library paths) — this is the core exploitation mechanism.
  • The exploit checks for privilege by attempting to open /proc/self/exe — if /proc is empty (as in docker-tar's chrooted context), it proceeds. Monitor for processes that check /proc emptiness as a privilege indicator.
  • Flag unexpected file writes to /evil on the host filesystem as an indicator of successful exploitation from the PoC breakout script.
  • Vulnerable Docker versions are those compiled with Go 1.11 in the 19.03.x line before 19.03.1; check Docker version and Go build version to identify affected hosts.
  • ·Exploitation requires the attacker to either run a malicious container image or have already compromised a running container; a standalone Docker host with only trusted images is not directly exploitable.
  • ·Red Hat Enterprise Linux 7 and Red Hat Storage 3 shipped Docker versions are NOT affected because they were not compiled with Go 1.11.
  • ·The vulnerability is only triggered when a docker cp command is executed against the compromised/malicious container — passive container operation alone does not trigger it.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.