Dockercfg Auth

ID

dockercfg

Severity

critical

Vendor

Docker

Family

Password

Description

The old .dockercfg or the new .docker/config.json files contain the configuration for the Docker command-line interface (Docker CLI).

These configuration files may contain sensitive information, like authentication data for proxies and, if no credential store, the credentials for image registries.

Sharing or committing the file to version control should be avoided in general.

Security

Any hardcoded credential for a docker registry is a critical issue when the file is leaked.

It is better to avoid clear-text credentials, even if the configuration file is protected by the OS. When leaked, an attacker might publish malicious images to the registry.

Examples

The following is a simple .docker/config.json file with base-64 encoded (user:pwd) credentials:

{
  "auths": {
    "docker.io": {
      "auth": "QVdTOmhhcmRjb2RlZA==",
    }
  }
}

Mitigation / Fix

  1. Change your DockerHub password and tokens. If you used the same or similar passwords on other online services, change those as well. Use different strong passwords, randomly generated if possible, for each service.

  2. Review if there were additional images published during the exposure window. They might be tainted with malware. Remove suspect images.

  3. It is also advised to check logs and image history to verify that no suspicious access or tampering took place. Check if a collaborator was added to any of the repositories.

  4. Remove the configuration file from the source code or committed configuration file. If not possible, configure a credential store or a credential helper instead of the auths property

  5. Follow your policy for handling leaked secrets when third parties may be affected. In this case, if your images were downloaded by external users, you may need to disclose a security alert publicly.

Reference

https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html