CVE-2020-29389
📋 TL;DR
This vulnerability allows attackers to gain root access to Crux Linux Docker containers by using a blank password for the root account. Systems using affected versions of the official Crux Linux Docker images are vulnerable. This affects container deployments where the vulnerable image is used.
💻 Affected Systems
- Crux Linux Docker Official Image
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the container with root privileges, allowing attackers to execute arbitrary commands, access sensitive data, pivot to other systems, or deploy malware.
Likely Case
Unauthorized root access to containers, leading to data theft, service disruption, or lateral movement within containerized environments.
If Mitigated
Limited impact if containers run with minimal privileges, network isolation, and proper access controls, though root access remains a significant risk.
🎯 Exploit Status
Exploitation is trivial - attackers can simply use 'su root' with a blank password or SSH with empty credentials if SSH is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.5 and later
Vendor Advisory: https://github.com/koharin/koharin2/blob/main/CVE-2020-29389
Restart Required: Yes
Instructions:
1. Update to Crux Linux Docker image version 3.5 or later. 2. Pull the updated image: 'docker pull cruxlinux:latest' or specific version. 3. Rebuild and redeploy containers using the patched image. 4. Remove old vulnerable images from your system.
🔧 Temporary Workarounds
Set Root Password
linuxManually set a strong password for the root account in running containers
docker exec -it <container_name> passwd root
Disable Root Login
linuxPrevent root login via SSH or other services
docker exec -it <container_name> sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
docker exec -it <container_name> service ssh restart
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable containers
- Use container security tools to monitor for root login attempts and unauthorized access
🔍 How to Verify
Check if Vulnerable:
Run 'docker exec -it <container_name> su root' and press Enter when prompted for password. If you gain root access without a password, the container is vulnerable.Check Version:
docker inspect <container_name> | grep -i versionVerify Fix Applied:
Attempt the same su root command; it should fail or prompt for a password. Check container image version with 'docker inspect <container_name> | grep Image'.📡 Detection & Monitoring
Log Indicators:
- Failed or successful authentication attempts with blank passwords
- Root login events without proper authentication
- Unusual su or sudo commands
Network Indicators:
- SSH connections to containers with empty credentials
- Unexpected network traffic from containers
SIEM Query:
source="docker" AND (event="authentication" AND result="success" AND user="root" AND password="") OR (process="su" AND user="root")