Cyber Security Trends May 2019

This posting is here to collect cyber security news in May 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.



  1. Tomi Engdahl says:

    Secretary General gives keynote speech on NATO’s adaptation to cyber threats

    NATO Secretary General Jens Stoltenberg addressed a conference at the National Cyber Security Centre in London on Thursday (23 May 2019) on how the Alliance is countering cyber threats.

  2. Tomi Engdahl says:

    Directed attacks against MySQL servers deliver ransomware

    Someone is attacking internet-facing Windows database servers with GandCrab ransomware

  3. Tomi Engdahl says:

    .htaccess Injector on Joomla and WordPress Websites

    During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors

    While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.

    This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.

  4. Tomi Engdahl says:

    Uncovering New Activity By APT10

    In April 2019, enSilo detected what it believes to be new activity by Chinese cyber espionage group APT10.

  5. Tomi Engdahl says:

    HawkEye Malware Operators Renew Attacks on Business Users

    IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. The industries targeted in April 2019 campaigns observed by X-Force included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

    HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors. Botnet monetization of this sort is rather common nowadays, with various gangs collaborating with one another to maximize their potential profits.

  6. Tomi Engdahl says:

    Intense scanning activity detected for BlueKeep RDP flaw
    A threat actor hidden behind Tor nodes is scanning for Windows systems vulnerable to BlueKeep flaw.

    Threat actors have started scanning the internet for Windows systems that are vulnerable to the BlueKeep (CVE-2019-0708) vulnerability.

    This vulnerability impacts the Remote Desktop Protocol (RDP) service included in older versions of the Windows OS, such as XP, 7, Server 2003, and Server 2008.

  7. Tomi Engdahl says:

    CI build logs continue to expose company secrets
    Team of researchers finds GitHub access tokens for various companies inside Travis CI build logs.

    Security researchers are still finding secrets hidden deep inside continuous integration services, years after the issue become common knowledge.

    Continuous integration (CI) is a coding methodology that requires programmers to integrate their in-dev code back into the main app at various intervals. This code is compiled/built back into a copy of the production system, and the code is tested for bugs using automated systems.

    The purpose of CI is to find bugs as early as possible in the coding process and detect them before they’re too deeply embedded into the rest of the project, at which point it may require extensive rewrites.

    During the build process, interactions with various remote servers and APIs is necessary, and passwords, SSH keys, or API tokens can be used — and inherently remain recorded in Travis CI logs.

  8. Tomi Engdahl says:

    US to reportedly blacklist Chinese surveillance camera giant Hikvision

    The reported ban on Hikvision comes at a time when US is restricting technology exports to several leading Chinese technology companies, including Huawei.

    The Trump administration is considering slapping a US export ban on China’s Hikvision, one of the world’s largest surveillance companies, the New York Times reported on Tuesday, citing unidentified sources familiar with the matter.

  9. Tomi Engdahl says:

    China has reportedly equipped about 200 million surveillance cameras around the nation, amounting to approximately 1 camera per 7 citizens. Surveillance cameras in China are mostly used for security and traffic control purposes, as well as for catching criminals through AI technologies.


  10. Tomi Engdahl says:

    Windows 10 May 2019 Update installation stops on some AMD systems
    AMD RAID drivers blamed for stopping Windows 10 v1903 updates.

  11. Tomi Engdahl says:

    Már Másson Maack / The Next Web:
    Estonia’s Ambassador at Large for Cybersecurity talks about “cyber diplomacy” and the need to establish “arms control” for cyberwarfare among Western nations

    What the hell is a ‘cyber diplomat’?

    went to Tallinn to speak with Estonia’s first Ambassador at Large for Cybersecurity, Heli Tiirmaa-Klaar — often described as Estonia’s heavy-hitter in the field of cyber diplomacy — to get the details on how this new frontier in diplomacy works, why Estonia is leading it, and what being a cyber diplomat actually means.

    First up, cyber diplomacy…? Although the name might seem like a weird amalgamation of sci-fi and bureaucracy, it’s actually one of the most important fields in geopolitics today. In its simplest form, cyber diplomacy is diplomacy in the cyber domain (incredibly informative, I know).

    This basically means is that nation states are finally waking up to the importance of cyberspace (fun word for our computer/online/virtual world) and how it relates to national interests. Cyber diplomacy spans everything from security to trade, from freedom to governance. Stuff is happening to us via computers and countries want a say in how it happens.

    And how do governments make sure they have a say, you ask? Through cyber diplomats.

    Taming the digital Wild West

    The reason why all of ‘cyber’ has been grouped separately when it comes to diplomacy is that we’re lacking the basic foundational rules we’ve established in other fields of geopolitics as a global society. You invade another country? Nope, not allowed. Don’t bother to clean up an oil spill? Think again, pal.

    In cyberspace, it’s far from being this clear. We’re still struggling with basic questions like what constitutes an ‘attack’ in cyberwarfare

  12. Tomi Engdahl says:

    Siemens Medical Products Affected by Wormable Windows Flaw

    Several products made by Siemens Healthineers, a Siemens company that specializes in medical technology, are affected by a recently patched Windows vulnerability tracked as CVE-2019-0708 and BlueKeep.

    The vulnerability impacts the Windows Remote Desktop Services (RDS) and it was fixed by Microsoft with its May 2019 Patch Tuesday updates.

  13. Tomi Engdahl says:

    Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information

    Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the state of Georgia has ruled (May 20, 2019) that the state government does not have an inherent obligation to protect citizens’ personal information that it stores.

  14. Tomi Engdahl says:

    GitHub Adds New Tools to Help Developers Secure Code

    Microsoft-owned GitHub on Thursday announced the introduction of several new security tools and features designed to help developers secure their code.

    The code hosting service in 2017 launched a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities. Since the introduction of the security alerts has resulted in significantly fewer vulnerable code libraries on the platform, GitHub has continued to make improvements and it has now announced even more enhancements as a result of a partnership with WhiteSource.

    The partnership helps GitHub broaden coverage of security flaws in open source projects and allows it to provide even more details that should help developers assess and address vulnerabilities.

  15. Tomi Engdahl says:

    Microsoft Defender ATP for Mac Now in Public Preview

    Microsoft’s unified endpoint security solution is now publicly available for Mac users, following two months of limited preview.

    Dubbed Microsoft Defender ATP for Mac, the tool has seen great response from users since the limited preview kicked off in March, and Microsoft is ready to make it available for more people.

  16. Tomi Engdahl says:

    Microsoft Brings Hardware-Based Isolation to Chrome, Firefox

    Microsoft this week made the Windows Defender Application Guard extensions generally available, which now provides hardware-based isolation to all Chrome and Firefox users on Windows 10.

    First introduced in 2017 and designed to isolate browser-based attacks, the container technology has been available only to Microsoft Edge until earlier this year, when Microsoft released the Windows Defender Application Guard extensions to Windows Insiders.

  17. Tomi Engdahl says:

    The radio navigation planes use to land safely is insecure and can be hacked
    Radios that sell for $600 can spoof signals planes use to find runways.

  18. Tomi Engdahl says:

    Auction for a laptop full of malware closes at $1.3 million (updated)
    The work of art is meant to give physical form to abstract digital threats.

  19. Tomi Engdahl says:

    Eduard Kovacs / SecurityWeek:
    Researcher finds about a million older Windows devices currently vulnerable to the wormable Remote Desktop flaw BlueKeep, amid spike in port scanning activity

    One Million Devices Vulnerable to BlueKeep as Hackers Scan for Targets

    Nearly one million devices are vulnerable to attacks involving the Windows vulnerability dubbed BlueKeep and it appears that hackers have already started scanning the web in search of potential targets.

    The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and it was addressed by Microsoft with its May 2019 Patch Tuesday updates. The flaw has been described as wormable and it can be leveraged by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.

    An unauthenticated attacker can use the flaw to execute arbitrary code and take control of a machine without any user interaction by sending specially crafted requests via the Remote Desktop Protocol (RDP).

    Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

    Many expect to see attacks involving BlueKeep at any moment as several proof-of-concept (PoC) exploits have already been developed — although, none of the PoC exploits has been made public. Industrial and medical products are also at risk.

    “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines,” Graham said in a blog post.

    Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708)

    Microsoft announced a vulnerability in it’s “Remote Desktop” product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it’ll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 — potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.

    There are two things you should do to guard yourself. The first is to apply Microsoft’s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers.

    More importantly, for large organizations, is to fix their psexec problem that allows such things to spread via normal user networking. You may have only one old WinXP machine that’s vulnerable, that you don’t care if it gets infected with ransomware. But, that machine may have a Domain Admin logged in, so that when the worm breaks in, it grab those credentials and uses them to log onto the Domain Controller. Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln. This is what happened with notPetya: the actual vulnerability wasn’t the problem, it was psexec that was the problem.

    For patching systems, you have to find them on the network. My rdpscan tool mentioned above is good for scanning small networks. For large networks, you’ll probably want to do the same masscan/rdpscan combination

  20. Tomi Engdahl says:

    Chinese Military Will Replace Windows Operating System

    The Chinese regime is getting ready to replace the Windows operating system in its military. The new operating system is independently developed by China, and it would prevent the United States from hacking into China’s military network.

  21. Tomi Engdahl says:

    Baltimore Says It Will Not Pay Ransom After Cyberattack

    The US city of Baltimore, a victim this month of a cyberattack that paralyzed part of its computer network, will not pay a ransom to undo the damage, Mayor Bernard Young said Tuesday.

    Hackers reportedly had demanded $100,000 in bitcoin, but Young told a news conference “I’m not considering” paying it.

    “As a matter of fact, we are going to work with other cities, encouraging them not to pay either,” he said.

  22. Tomi Engdahl says:

    Lokibot via abusing the ngrok proxy service

    It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked.

    What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc.

    One command for an instant, secure URL to your localhost server through any NAT or firewall.

  23. Tomi Engdahl says:

    Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708)

    Microsoft announced a vulnerability in it’s “Remote Desktop” product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it’ll likely compromise those million devices.

  24. Tomi Engdahl says:

    Apple, Google, Microsoft, WhatsApp sign open letter condemning GCHQ proposal to listen in on encrypted chats

    An international coalition of civic society organizations, security and policy experts and tech companies — including Apple, Google, Microsoft and WhatsApp — has penned a critical slap-down to a surveillance proposal made last year by the UK’s intelligence agency, warning it would undermine trust and security and threaten fundamental rights.

    “The GCHQ’s ghost protocol creates serious threats to digital security”

    “These cybersecurity risks mean that users cannot trust that their communications are secure, as users would no longer be able to trust that they know who is on the other end of their communications, thereby posing threats to fundamental human rights, including privacy and free expression. Further, systems would be subject to new potential vulnerabilities and risks of abuse.”

    The pair argued that such an “exceptional access mechanism” could be baked into encrypted platforms to enable end to end encryption to be bypassed by state agencies would could instruct the platform provider to add them as a silent listener to eavesdrop on a conversation — but without the encryption protocol itself being compromised.

    “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”

    However while encryption might technically remain intact in the scenario they sketch, their argument glosses over both the fact and risks of bypassing encryption via fiddling with authentication systems in order to enable deceptive third party snooping.

  25. Tomi Engdahl says:

    How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

    Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

    Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor

  26. Tomi Engdahl says:

    Lindsey O’Donnell / Threatpost:
    Restaurant chain Checkers says hackers breached its systems to install malware on PoS systems across 102 of its locations between December 2015 and April 2019 — The popular Checkers and Rally’s drive-through restaurant chain was attacked by Point of Sale (POS) malware impacting 15 percent of its stores across the U.S

    POS Malware Found at 102 Checkers Restaurant Locations

    One of the most popular U.S. drive-through restaurants has been hit with a data breach due to POS malware.

    The malware is designed to collect data stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.

    The incident impacted 102 stores Checkers across 20 states – which were all exposed at varying dates, including as early as December 2015 to as recently as April 2019

    According to Verizon’s Data Breach Investigations Report, there has been a continual reduction in breaches involving point of sale environments and card skimming operations: With POS malware incidents falling from 63 percent of all retail breaches in 2014 to a mere 6 percent in 2018.

    Despite that, POS continues to plague retail, restaurant and other types of stores.

  27. Tomi Engdahl says:

    The First Public Schools In The US Will Start Using Facial Recognition Next Week

    UPDATE: The New York State Education Department has instructed Lockport to delay its use of facial recognition technology.

    Bradley described the test as an “initial implementation phase” meant to troubleshoot the system, train district officials on its use

    “Aegis is an early warning system that informs staff of threats including guns or individuals who have been identified as not allowed in our buildings,”

    The Lockport pilot comes amid increased scrutiny of facial recognition’s efficacy across the US, including growing civil rights concerns and worries that the tech may serve to further entrench societal biases. Earlier this month, San Francisco banned police from using facial recognition, and similar bills in the US hope to do the same. Amazon has endured persistent pressure — including from its own shareholders — for its aggressive salesmanship of its facial Rekognition system to law enforcement agencies.

    At the same time, reports and studies of facial recognition’s inaccuracies and mistakes

  28. Tomi Engdahl says:

    Teen hacked Apple hoping the company would offer him a job

    hacked into the company’s secure computer system twice hoping to get a job. He is now pleading guilty to multiple computer hacking charges.

    first hacked into Apple’s mainframe in December 2015 when he was just 13 years old. He again hacked the system in early 2017

  29. Tomi Engdahl says:

    Google announces new privacy requirements for Chrome extensions

    Starting this summer, extension developers are required to only request access to the data they need to implement their features — and nothing more. In addition, the company is expanding the number of extension developers who will have to post privacy policies.

  30. Tomi Engdahl says:

    Infected Cryptocurrency-Mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims

    All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner.

  31. Tomi Engdahl says:

    Baltimore encrypted
    May 30, 2019

    In early May, officials in Baltimore, Maryland, encountered ransomware called RobbinHood that encrypted a number of municipal computers. It completely paralyzed some city services.

    Ransomware against cities

    Baltimore is hardly the first and unlikely the last city to be encrypted by ransomware. Last year, a ransomware attack forced administration officials in Atlanta, Georgia, to return to pen-and-paper work for a few days. Not only mayor’s office employees, but also local police officers were offline. The cops had to write out reports by hand. The attackers demanded more than $50,000, but the city did not pay.

    At the end of 2017, the county of Mecklenburg in North Carolina became the victim of other ransomware when an employee opened a malicious mail attachment. As a result, tax and some legal services, as well as many other institutions, suffered. Restoring the damaged systems took nearly a month.

    Consequences of attacks on municipal computers

    It is hard to estimate the scale of the disaster. Modern citizens don’t tend to think about how the scale of routine services taken on by municipal information systems. Therefore, when computers fail, city dwellers are deprived of many common amenities, which in turn may lead to a wave of public discontent.

    Failed services may force residents to postpone important business indefinitely and to visit government departments in person for issues they used to solve in a couple of mouse clicks.

  32. Tomi Engdahl says:

    Framing the Problem: Cyber Threats and Elections

    This year, Canada, multiple European nations, and others will host high profile elections. The topic of cyber-enabled threats disrupting and targeting elections has become an increasing area of awareness for governments and citizens globally. To develop solutions and security programs to counter cyber threats to elections, it is important to begin with properly categorizing the threat. In this post, we’ll explore the various threats to elections FireEye has observed and provide a framework for organizations to sort these activities.

    While there is increasing global awareness of threats to elections, election administrators and others continue to face challenges in ensuring the integrity of the vote.

  33. Tomi Engdahl says:

    Unpatched Flaw Affects All Docker Versions, Exploits Ready

    All versions of Docker are currently vulnerable to a race condition that could give an attacker both read and write access to any file on the host system. Proof-of-concept code has been released.

    The flaw is similar to CVE-2018-15664 and it offers a window of opportunity for hackers to modify resource paths after resolution but before the assigned program starts operating on the resource. This is known as a time-to-check-time-to-use (TOCTOU) type of bug.

  34. Tomi Engdahl says:

    A dive into Turla PowerShell usage

    ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only

  35. Tomi Engdahl says:

    CVE-2019-0725: An Analysis of Its Exploitabilit

    May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability (CVE-2019-0708). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is a different RCE flaw (CVE-2019-0626) that was patched in the DHCP server last February.

    CVE-2019-0725 doesn’t require user interaction, and affects all versions of Windows Server. How bad — and exploitable — is CVE-2019-0725, exactly?

  36. Tomi Engdahl says:

    The Nansh0u Campaign – Hackers Arsenal Grows Stronger

    During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.

    Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

  37. Tomi Engdahl says:

    Apple Patches SQLite, WebKit Bugs in iTunes and iCloud for Windows

    The SQLite flaws include CVE-2019-8577 and CVE-2019-8602, which could allow an application to gain elevated privileges, CVE-2019-8600, which could lead to arbitrary code execution, and CVE-2019-8598, which could allow an application to read restricted memory.

    Tracked as CVE-2019-8607, the first of the WebKit flaws, Apple explains in its advisory, could lead to the disclosure of process memory when processing maliciously crafted web content.

  38. Tomi Engdahl says:

    Cyberattack Hits New Zealand Budget

    The New Zealand government said Wednesday that a “systematic” and “deliberate” cyberattack was behind an embarrassing leak of secret finance documents ahead of this week’s budget.

    New Zealand Says Budget Leak Was Bungled, Not Hacked

    A security breach that led to the premature release of New Zealand’s budget resulted from an online bungle, not a sophisticated cyberattack as originally claimed, red-faced officials admitted Thursday.

    The Treasury department called in police this week after the opposition National Party released parts of the government’s annual budget, which was not due for release until Thursday.

    At the time, Treasury Secretary Gabriel Makhlouf said his department had fallen victim to a “systematic” and “deliberate” hack, rejecting “absolutely” any suggestion the information had been accidentally posted online.

    He was forced into an embarrassing backdown Thursday after police found no evidence that illegal activity was behind the leak.

  39. Tomi Engdahl says:

    Sophisticated HiddenWasp Malware Targets Linux

    A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered.

    Called HiddenWasp, the threat is active and enjoys zero-detection rate in all major anti-virus systems, the researchers say. The threat appears to be used in targeted attacks on victims who went through heavy reconnaissance or are already compromised by the attackers.

    HiddenWasp Malware Stings Targeted Linux Systems


    • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.

    • The malware is still active and has a zero-detection rate in all major anti-virus systems.

    • Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.

    • Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.

  40. Tomi Engdahl says:

    Microsoft warns users to patch as exploits for ‘wormable’ BlueKeep bug appear

    Microsoft has issued its second advisory this month urging users to update their systems to prevent a re-run of attacks similar to WannaCry.

  41. Tomi Engdahl says:

    Google white hat hacker found code execution flaw in Notepad

    The popular white hat hacker Tavis Ormandy has announced the discovery of a code execution vulnerability in Microsoft’s Notepad text editor.

  42. Tomi Engdahl says:

    Phila. Court Shuts Down Website, E-Filing Over ‘Virus Intrusion’

    On Tuesday, a virus on ‘a limited number of computers’ in Philadelphia’s court system led to the court shutting down its site and some online filing services as a safety precaution. City officials and the court haven’t said when all systems will go back online.

  43. Tomi Engdahl says:

    HiddenWasp Malware Stings Targeted Linux Systems

    • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.

    • The malware is still active and has a zero-detection rate in all major anti-virus systems.

  44. Tomi Engdahl says:

    CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack

    There is no released Docker version with a fix for this issue at the
    time of writing. I’ve submitted a patch upstream[1] which is still
    undergoing code review, and after discussion with them they agreed that
    public disclosure of the issue was reasonable. Since the SUSE bug report
    contains exploit scripts[2], I’ve attached them here too.

    If an attacker can
    add a symlink component to the path *after* the resolution but *before*
    it is operated on, then you could end up resolving the symlink path
    component on the host as root. In the case of ‘docker cp’ this gives you
    read *and* write access to any path on the host.

    As far as I’m aware there are no meaningful protections against this
    kind of attack (other than not allowing “docker cp” on running
    containers — but that only helps with his particular attack through
    FollowSymlinkInScope). Unless you have restricted the Docker daemon
    through AppArmor, then it can affect the host filesystem — I haven’t
    verified if the issue is as exploitable under the default SELinux
    configuration on Fedora/CentOS/RHEL.


Leave a Comment

Your email address will not be published. Required fields are marked *