A recent vulnerability in the Windows Host Compute Service Shim (hcsshim) library that allows users to import Docker container images in Docker for Windows could have enabled remote code execution on the Windows host.
The open source hcsshim library was developed by Microsoft as a wrapper for use with its Host Compute Service (HCS).
The vulnerability is triggered because the hcsshim library used by a container management service does not properly validate input whenever a container image is imported, potentially triggering the execution of malicious code on the targeted machine.
“Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft,” wrote software developer Michael Hanselmann who reported the vulnerability. “Its use of Go’s filepath.Join function with unsanitized input allowed to create, remove and replace files in the host file system, leading to remote code execution. Importing a Docker container image or pulling one from a remote registry isn’t commonly expected to make modifications to the host file system outside of the Docker-internal data structures.”
Tagged as CVE-2018-8115, it has been dubbed critical by Microsoft, although the chances it would be exploited in the wild are seen as very low.
“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” reads the advisory. “An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”
While full technical details of the vulnerability have yet to be made available, Hanselmann did receive approval from Microsoft to release a proof-of-concept along with technical details on May 9.
The vulnerability has already been fixed with the release of hcsshim 0.6.10 and everyone using Docker for Windows is urged to get this latest version of the library.