CVE-2020-29601 – This vulnerability allows remote attackers to g... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to gain root access to systems running vulnerable Notary Docker images by using a blank password. It affects anyone using official Notary Docker images before signer-0.6.1-1. The root user in these containers has no password set, enabling trivial authentication bypass.

💻 Affected Systems

Products:

Official Notary Docker images

Versions: All versions before signer-0.6.1-1

Operating Systems: Any OS running Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the official Notary Docker images. Custom builds or other distributions are not affected.

📦 What is this software?

Notary Docker Image by Docker

View all CVEs affecting Notary Docker Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the container with root privileges, allowing attackers to execute arbitrary commands, access sensitive data, pivot to other systems, or deploy malware.

🟠

Likely Case

Attackers gain root shell access to the container, enabling them to steal cryptographic keys, manipulate signed artifacts, or use the container as a foothold for lateral movement.

🟢

If Mitigated

If containers are properly isolated with network restrictions and minimal privileges, impact is limited to the container itself without host system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to connect to the container and authenticate with blank password. No special tools or skills required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: signer-0.6.1-1 and later

Vendor Advisory: https://github.com/theupdateframework/notary

Restart Required: Yes

Instructions:

1. Pull updated image: docker pull notarysigner:signer-0.6.1-1 or later
2. Stop and remove old container
3. Deploy new container with updated image
4. Verify container is running patched version

🔧 Temporary Workarounds

Set root password manually

linux

Manually set a strong password for the root user inside the container

docker exec -it <container_name> passwd root

Disable root login

linux

Disable root SSH access or password authentication

docker exec -it <container_name> sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
docker exec -it <container_name> service ssh restart

🧯 If You Can't Patch

Isolate the container network - restrict to necessary ports only using Docker network policies
Implement strict network access controls and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if container is using vulnerable image: docker inspect <container_name> | grep Image | grep signer-0.6.1-1

Check Version:

docker exec <container_name> cat /etc/os-release || docker exec <container_name> uname -a

Verify Fix Applied:

Verify running image version: docker ps --format 'table {{.Names}}\t{{.Image}}' | grep notary

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts with blank password
Successful root login from unexpected sources
Unusual commands executed as root

Network Indicators:

SSH connections to Notary container from unauthorized IPs
Unexpected outbound connections from container

SIEM Query:

source="docker" AND (event="login" OR event="authentication") AND user="root" AND result="success"

📊 Metadata

CVE ID: CVE-2020-29601

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: December 8, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/koharin/koharin2/blob/main/CVE-2020-29601 Third Party Advisory
https://github.com/koharin/koharin2/blob/main/CVE-2020-29601 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON