CVE-2020-35184 – This vulnerability allows remote attackers to g... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to gain root access to systems running affected Composer Docker images by using a blank password. Anyone using official Composer Docker images before version 1.8.3 is affected. The vulnerability stems from a misconfiguration where the root user has no password set.

💻 Affected Systems

Products:

Official Composer Docker images

Versions: All versions before 1.8.3

Operating Systems: Any OS running Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the official Composer Docker images from Docker Hub. Custom-built images or other distributions are not affected unless they copied this configuration.

📦 What is this software?

Composer Docker Image by Docker

View all CVEs affecting Composer Docker Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing attackers to install malware, exfiltrate data, pivot to other systems, or destroy the container environment.

🟠

Likely Case

Unauthorized root access leading to data theft, container escape attempts, or deployment of malicious containers within the environment.

🟢

If Mitigated

Limited impact if containers are properly isolated with network restrictions, minimal privileges, and monitored for suspicious root login attempts.

🌐 Internet-Facing: HIGH - Internet-facing containers with exposed SSH or other authentication services could be directly exploited by remote attackers.

🏢 Internal Only: MEDIUM - Internal containers could still be exploited by attackers who have gained initial access to the network or through other compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to attempt root login with blank password. No special tools or techniques required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.3 and later

Vendor Advisory: https://github.com/docker-library/official-images/issues/8760

Restart Required: Yes

Instructions:

1. Pull the updated image: docker pull composer:latest
2. Update your Dockerfiles to use composer:1.8.3 or later
3. Rebuild and redeploy all containers using the vulnerable image
4. Remove old vulnerable images: docker image prune -a

🔧 Temporary Workarounds

Set root password in Dockerfile

linux

Manually set a strong root password in your Dockerfile before building the image

RUN echo 'root:StrongPassword123!' | chpasswd

Disable root SSH access

linux

Configure SSH to prevent root login entirely

RUN sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable containers
Deploy host-based intrusion detection to monitor for root login attempts

🔍 How to Verify

Check if Vulnerable:

Check Docker image version: docker images | grep composer
If version is earlier than 1.8.3, test root login: docker exec -it <container> su root (try blank password)

Check Version:

docker images --format '{{.Repository}}:{{.Tag}}' | grep composer

Verify Fix Applied:

After updating, verify version is 1.8.3+: docker images | grep composer
Test that root login with blank password fails

📡 Detection & Monitoring

Log Indicators:

Failed or successful root login attempts in auth logs
Multiple authentication failures followed by success

Network Indicators:

SSH brute force attempts targeting root user
Unexpected outbound connections from containers

SIEM Query:

source="auth.log" AND ("root" AND "Accepted password") OR ("root" AND "authentication failure")

📊 Metadata

CVE ID: CVE-2020-35184

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: December 17, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/koharin/koharin2/blob/main/CVE-2020-35184 Third Party Advisory
https://github.com/koharin/koharin2/blob/main/CVE-2020-35184 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35184, you might also want to check these: