CVE-2020-35462
📋 TL;DR
CVE-2020-35462 allows remote attackers to gain root access to systems running CoScale agent Docker image version 3.16.0 by using a blank password for the root user. This affects any system deployed with the vulnerable container image, potentially giving attackers complete control over affected containers.
💻 Affected Systems
- CoScale agent Docker image
📦 What is this software?
Coscale Agent by Coscale Agent Project
⚠️ Risk & Real-World Impact
Worst Case
Full container compromise leading to lateral movement, data exfiltration, ransomware deployment, or persistent backdoor installation across the container environment.
Likely Case
Unauthorized root access to containers allowing privilege escalation, configuration changes, and potential container escape to host system.
If Mitigated
Limited impact if containers are properly isolated, network access is restricted, and security monitoring detects authentication attempts.
🎯 Exploit Status
Exploitation is trivial - attackers simply need to attempt SSH or other authentication with blank password for root user.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.16.0
Vendor Advisory: https://github.com/donghyunlee00/CVE/blob/main/CVE-2020-35462
Restart Required: Yes
Instructions:
1. Stop all containers using CoScale agent 3.16.0. 2. Pull updated CoScale agent image. 3. Redeploy containers with patched version. 4. Verify no containers are running vulnerable version.
🔧 Temporary Workarounds
Set root password
linuxManually set a strong password for the root user within the container
docker exec <container_name> passwd root
Disable root SSH access
linuxModify SSH configuration to prevent root login
docker exec <container_name> sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
docker exec <container_name> service ssh restart
🧯 If You Can't Patch
- Isolate vulnerable containers in separate network segments with strict firewall rules
- Implement network-level authentication requirements before container access
🔍 How to Verify
Check if Vulnerable:
Check running containers: docker ps --format '{{.Image}}' | grep coscale-agent | grep 3.16.0Check Version:
docker inspect <container_name> | grep -A5 "Config" | grep "Image"Verify Fix Applied:
Verify no containers show version 3.16.0 and test SSH authentication with blank password fails📡 Detection & Monitoring
Log Indicators:
- Failed SSH authentication attempts with blank password
- Successful root login from unexpected sources
- Multiple authentication attempts to root account
Network Indicators:
- SSH connections to container ports from unauthorized sources
- Unusual outbound connections from containers
SIEM Query:
source="docker" AND (event="authentication" AND user="root" AND result="success") OR (event="ssh" AND user="root")