CVE-2019-5021 – This vulnerability allows attackers to log into... (How to Fix)

Q: What is the severity of CVE-2019-5021?

CVE-2019-5021 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to log into Alpine Linux Docker containers as root with no password. It affects systems using affected Alpine Linux Docker images (v3.3+) where authentication relies on the system shadow file, such as those using Linux PAM.

📋 TL;DR

This vulnerability allows attackers to log into Alpine Linux Docker containers as root with no password. It affects systems using affected Alpine Linux Docker images (v3.3+) where authentication relies on the system shadow file, such as those using Linux PAM.

💻 Affected Systems

Products:

Official Alpine Linux Docker images

Versions: v3.3 through v3.9.4

Operating Systems: Alpine Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Linux PAM or similar mechanisms that authenticate against the shadow file. Containers not using password authentication are unaffected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full container compromise leading to host escape, data theft, lateral movement, and complete system takeover.

🟠

Likely Case

Unauthorized root access to containers, enabling privilege escalation, data exfiltration, and persistence.

🟢

If Mitigated

Limited impact if containers run as non-root users, have network restrictions, or use alternative authentication methods.

🌐 Internet-Facing: HIGH - Internet-facing containers with exposed SSH or authentication services are directly exploitable.

🏢 Internal Only: MEDIUM - Internal containers remain vulnerable but require initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple passwordless login via SSH or other authentication services. No special tools required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Alpine Linux v3.9.5 and later

Vendor Advisory: https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html

Restart Required: Yes

Instructions:

1. Update Docker images: `docker pull alpine:latest` or specific version like `alpine:3.9.5`. 2. Rebuild containers using updated base image. 3. Redeploy containers.

🔧 Temporary Workarounds

Set root password manually

linux

Manually set a strong password for root user in container

docker exec -it <container_name> passwd root

Disable root login

linux

Prevent root from logging in via SSH

echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
service sshd restart

🧯 If You Can't Patch

Run containers as non-root user using USER directive in Dockerfile
Implement network segmentation and restrict container access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check if container uses Alpine Linux v3.3-v3.9.4: `docker exec <container_name> cat /etc/alpine-release`. Then test SSH login with empty password: `ssh root@container_ip`.

Check Version:

docker exec <container_name> cat /etc/alpine-release

Verify Fix Applied:

Verify Alpine version is v3.9.5+: `docker exec <container_name> cat /etc/alpine-release`. Test SSH login with empty password should fail.

📡 Detection & Monitoring

Log Indicators:

Successful SSH logins as root without password authentication in auth.log
Multiple failed password attempts followed by successful login

Network Indicators:

SSH connections to containers from unexpected sources
Unusual outbound connections from containers

SIEM Query:

source="auth.log" "Accepted password for root" OR "Accepted publickey for root" | where password=""

📊 Metadata

CVE ID: CVE-2019-5021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-258

Published: May 8, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/108288 Broken Link
https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20190510-0001/ Third Party Advisory
https://support.f5.com/csp/article/K25551452 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782 Exploit,Mitigation,Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/108288 Broken Link
https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20190510-0001/ Third Party Advisory
https://support.f5.com/csp/article/K25551452 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782 Exploit,Mitigation,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5021, you might also want to check these: