Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5EDB84F4B23F5B4DB6500A89258280E0BEBCDB@EX02.corp.qihoo.net>
Date: Thu, 1 Sep 2016 03:42:43 +0000
From: 张开翔 <zhangkaixiang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE Request: docker swarm node Dos occurs when join a cluster
 failed using local CA certificate

Docker swarm mode is used to form a swarm, coordinating tasks. Once a machine joins, it becomes a Swarm Node. Nodes can either be worker nodes or manager nodes.
I found a vulnerability in docker of the latest version which could cause a Denial of Service, I created a CA certificate as the same way with docker, loading it when
execute the command "docker swarm join --token SWMTKN-1-xx ip:port", however , distrust certificate results the swarm manger failed to authenticate during
TLS handshake, trapping into infinite loop of session rebuilding , thus a remote node could not join the swarm cluster and even force to leave is in vain, this issue persists
after restarts docker daemon on the remote node.

# docker version
Client:
Version:      1.12.0-dev
API version:  1.25
Go version:   go1.6.3
Git commit:   9c1be54-unsupported
Built:        Fri Jul 29 15:40:52 2016
OS/Arch:      linux/amd64

Server:
Version:      1.12.0-dev
API version:  1.25
Go version:   go1.6.3
Git commit:   9c1be54-unsupported
Built:        Fri Jul 29 15:40:52 2016
OS/Arch:      linux/amd64

# docker swarm init
Swarm initialized: current node (23m6ksr96whsvuo8lzokenju3) is now a manager.

To add a worker to this swarm, run the following command:
    docker swarm join \
    --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 \
    xx.xx.xx.xx:2377

To add a manager to this swarm, run the following command:
    docker swarm join \
    --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-0p086z2sdbnpvognjmu76gpi6 \
    xx.xx.xx.xx :2377

Login in remote node ,create a CA certificate and private key as the docker’s way, then puts them to /var/lib/docker/swarm/certificate
and named with “docker-swarm-ca.xxx”, execute the following commands:
-----------------------------------------------------
# docker swarm join --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 xx.xx.xx.xx:2377
Error response from daemon: Timeout was reached before node was joined. Attempt to join the cluster will continue in the background. Use "docker info" command to see the current swarm status of your node

Some debugging information of docker daemon.
        ---------------------------------------------------------
time="2016-09-01T11:07:21.033209029+08:00" level=debug msg="(*session).start" module=agent
time="2016-09-01T11:07:26.043671399+08:00" level=error msg="agent: session failed" error="session initiation timed out" module=agent
time="2016-09-01T11:07:26.043717264+08:00" level=debug msg="agent: rebuild session" module=agent
time="2016-09-01T11:07:28.931724333+08:00" level=debug msg="(*session).start" module=agent
time="2016-09-01T11:07:33.943026665+08:00" level=error msg="agent: session failed" error="session initiation timed out" module=agent
time="2016-09-01T11:07:33.943474051+08:00" level=debug msg="agent: rebuild session" module=agent
… …
  now that we can’t join the swarm cluster, so just leave it,  but…
# docker swarm leave --force
Error response from daemon: context deadline exceeded

  Ok, nothing can be done with swarm mode, neither joining nor quiting

Please assign CVE IDs for the security issue ?

  Best regards&
  Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.