CVE-2020-35185 – CVE-2020-35185 allows remote attackers to gain ... (How to Fix)

Q: What is the severity of CVE-2020-35185?

CVE-2020-35185 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35185 allows remote attackers to gain root access to systems running vulnerable Ghost Docker images by using a blank password. This affects deployments using official Ghost Docker images before version 2.16.1-alpine. Attackers can achieve complete system compromise through this authentication bypass vulnerability.

📋 TL;DR

CVE-2020-35185 allows remote attackers to gain root access to systems running vulnerable Ghost Docker images by using a blank password. This affects deployments using official Ghost Docker images before version 2.16.1-alpine. Attackers can achieve complete system compromise through this authentication bypass vulnerability.

💻 Affected Systems

Products:

Ghost Docker Official Images

Versions: All versions before 2.16.1-alpine

Operating Systems: Alpine Linux (specific to alpine variant)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Alpine-specific Docker images. Other Ghost Docker variants are not affected.

📦 What is this software?

Ghost Alpine Docker Image by Docker

View all CVEs affecting Ghost Alpine Docker Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing installation of persistent backdoors, data theft, cryptomining, or ransomware deployment.

🟠

Likely Case

Unauthorized root access leading to container escape, privilege escalation, and lateral movement within the Docker environment.

🟢

If Mitigated

Limited impact if containers run with non-root users, proper network segmentation, and strong access controls are implemented.

🌐 Internet-Facing: HIGH - Directly exposed containers can be compromised without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to container.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply attempt to authenticate with blank password. Public references and PoCs exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.16.1-alpine and later

Vendor Advisory: https://github.com/docker-library/ghost/issues/218

Restart Required: Yes

Instructions:

1. Stop the vulnerable container. 2. Pull the updated image: docker pull ghost:2.16.1-alpine. 3. Recreate container with updated image. 4. Verify no blank root password exists.

🔧 Temporary Workarounds

Set root password manually

linux

Manually set a strong password for the root user inside the container

docker exec -it <container_name> passwd root

Run as non-root user

linux

Configure container to run with a non-root user to limit impact

docker run --user 1000:1000 ghost:<version>

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Ghost container
Monitor for authentication attempts and root access patterns in container logs

🔍 How to Verify

Check if Vulnerable:

Check if container uses affected version: docker images | grep ghost. Then test blank password: docker exec -it <container> su root (enter blank password).

Check Version:

docker images --format '{{.Repository}}:{{.Tag}}' | grep ghost

Verify Fix Applied:

After update, attempt to authenticate with blank password should fail. Verify image version is 2.16.1-alpine or later.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with blank password
Successful root login from unexpected sources
Container escape attempts

Network Indicators:

Unusual SSH or authentication traffic to container ports
Connection attempts from unexpected IP ranges

SIEM Query:

source="docker" AND (event="authentication" AND result="success" AND user="root") OR (event="container_escape")

📊 Metadata

CVE ID: CVE-2020-35185

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: December 17, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/koharin/koharin2/blob/main/CVE-2020-35185 Third Party Advisory
https://github.com/koharin/koharin2/blob/main/CVE-2020-35185 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35185, you might also want to check these: