CVE-2020-35192
📋 TL;DR
This vulnerability allows remote attackers to gain root access to systems running affected Vault Docker images by using a blank password. It affects anyone using official Vault Docker images before version 0.11.6. The root user's blank password creates a critical authentication bypass.
💻 Affected Systems
- HashiCorp Vault Docker Official Image
📦 What is this software?
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing data theft, service disruption, and lateral movement within the environment.
Likely Case
Unauthorized root access to the Vault container, potentially exposing secrets and sensitive configuration data stored in Vault.
If Mitigated
Limited impact if container runs with non-root user or has network isolation, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation is trivial - simply connect to the container with root user and blank password. No special tools or skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.11.6 and later
Vendor Advisory: https://github.com/hashicorp/docker-vault/releases/tag/v0.11.6
Restart Required: Yes
Instructions:
1. Stop the vulnerable Vault container. 2. Pull the updated image: docker pull vault:0.11.6. 3. Recreate your container using the new image. 4. Verify the fix by checking the image version.
🔧 Temporary Workarounds
Run as non-root user
linuxConfigure the container to run with a non-root user to limit impact
docker run --user 1000:1000 vault:your_version
Set root password
linuxExplicitly set a strong root password for the container
docker run -e ROOT_PASSWORD=your_strong_password vault:your_version
🧯 If You Can't Patch
- Isolate the container network using Docker network policies to prevent external access
- Implement strict firewall rules to limit access to the Vault container only from authorized systems
🔍 How to Verify
Check if Vulnerable:
Check your Docker image version: docker images | grep vault. If version is earlier than 0.11.6, you are vulnerable.Check Version:
docker images --format '{{.Repository}}:{{.Tag}}' | grep vaultVerify Fix Applied:
After updating, verify the image version is 0.11.6 or later and test authentication with blank password should fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with root user
- Successful root logins without password
- Unusual root-level activity in container logs
Network Indicators:
- Unexpected connections to Vault container port 8200
- SSH or other remote access attempts to container
SIEM Query:
source="docker" AND (event="authentication" AND user="root" AND result="success") OR (event="container_start" AND image="*vault*" AND version<"0.11.6")