CVE-2020-35466 – The Blackfire Docker image through December 14,... (How to Fix)

Q: What is the severity of CVE-2020-35466?

CVE-2020-35466 has a CVSS score of 9.8 (CRITICAL). The Blackfire Docker image through December 14, 2020 contains a blank root password, allowing remote attackers to gain root access without authentication. This affects any system running the vulnerable Blackfire container image. Attackers can achieve complete system compromise through this authentication bypass vulnerability.

📋 TL;DR

The Blackfire Docker image through December 14, 2020 contains a blank root password, allowing remote attackers to gain root access without authentication. This affects any system running the vulnerable Blackfire container image. Attackers can achieve complete system compromise through this authentication bypass vulnerability.

💻 Affected Systems

Products:

Blackfire Docker image

Versions: All versions through 2020-12-14

Operating Systems: Linux (containerized)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Blackfire Docker images, not the Blackfire software itself when installed through other methods.

📦 What is this software?

Blackfire Docker Image by Blackfire

View all CVEs affecting Blackfire Docker Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing installation of persistent backdoors, data exfiltration, and lateral movement to other systems.

🟠

Likely Case

Remote attackers gain root shell access to the container, enabling them to execute arbitrary commands, steal sensitive data, and pivot to other systems.

🟢

If Mitigated

If proper network segmentation and access controls are in place, impact may be limited to the container itself without affecting the host system.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SSH or direct container access with blank password authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Images after 2020-12-14

Vendor Advisory: https://github.com/blackfireio/docker

Restart Required: Yes

Instructions:

1. Pull the latest Blackfire Docker image. 2. Stop and remove the vulnerable container. 3. Deploy new container using the updated image. 4. Verify the fix by attempting to authenticate with blank password.

🔧 Temporary Workarounds

Set root password

linux

Manually set a strong password for the root user within the container

docker exec -it <container_name> passwd root

Disable root SSH access

linux

Modify SSH configuration to prevent root login

docker exec -it <container_name> sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
docker exec -it <container_name> service ssh restart

🧯 If You Can't Patch

Implement strict network access controls to limit container exposure
Monitor for SSH authentication attempts with blank passwords

🔍 How to Verify

Check if Vulnerable:

Attempt SSH login to container with 'root' username and blank password

Check Version:

docker images | grep blackfire

Verify Fix Applied:

Verify SSH login with blank password fails and requires authentication

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts
Successful SSH logins with blank password
Root user login events

Network Indicators:

SSH connections to container ports
Unusual outbound connections from container

SIEM Query:

source="auth.log" AND (user="root" AND (password="" OR authentication="none"))

📊 Metadata

CVE ID: CVE-2020-35466

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: December 15, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/donghyunlee00/CVE/blob/main/CVE-2020-35466 Third Party Advisory
https://github.com/donghyunlee00/CVE/blob/main/CVE-2020-35466 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35466, you might also want to check these: