Remote code execution due to untrusted APK packages in Dockerfile

Critical Risk infrastructure-security
dockerapkpackage-managementsignature-verificationremote-code-executionsupply-chain-attackcontainer-security

What it is

Dockerfiles that use APK package manager with --allow-untrusted flag disable signature verification, enabling installation of unsigned or tampered packages that could contain malicious code. This creates a supply chain attack vector where malicious actors can compromise container images by injecting backdoors, malware, or vulnerable packages that execute arbitrary code during build or runtime, leading to container escape, data exfiltration, and infrastructure compromise.

# VULNERABLE: Dockerfile with untrusted APK packages
FROM alpine:3.18

# VULNERABLE: APK with disabled signature verification
RUN apk add --allow-untrusted curl wget  # VULNERABLE: Bypasses signature checks

# VULNERABLE: Multiple packages without verification
RUN apk add --allow-untrusted \
    python3 \
    py3-pip \
    nodejs \
    npm \
    git  # VULNERABLE: All packages unverified

# VULNERABLE: Custom repository without proper keys
RUN echo "http://untrusted.example.com/alpine/v3.18/main" >> /etc/apk/repositories \
    && apk add --allow-untrusted custom-package  # VULNERABLE: Untrusted repo

# VULNERABLE: Package installation with force update
RUN apk add --allow-untrusted --force-refresh suspicious-tool

# VULNERABLE: Development tools without verification
RUN apk add --allow-untrusted \
    gcc \
    musl-dev \
    linux-headers \
    make

COPY app.py /app/
WORKDIR /app
CMD ["python3", "app.py"]
# SECURE: Dockerfile with verified APK packages
FROM alpine:3.18

# SECURE: Install packages with signature verification
RUN apk add --no-cache curl wget  # SECURE: No --allow-untrusted flag

# SECURE: Install multiple packages with verification
RUN apk add --no-cache \
    python3 \
    py3-pip \
    nodejs \
    npm \
    git  # SECURE: All packages verified

# SECURE: Use official repositories only
RUN cat /etc/apk/repositories  # Verify only trusted repos

# SECURE: Install development tools with verification
RUN apk add --no-cache \
    gcc \
    musl-dev \
    linux-headers \
    make  # SECURE: All packages verified

COPY app.py /app/
WORKDIR /app
CMD ["python3", "app.py"]

💡 Why This Fix Works

Why it happens

Dockerfiles use apk add --allow-untrusted to bypass package signature validation, allowing installation of unsigned or tampered packages from potentially malicious or compromised repositories.

Root causes

Disabled APK Signature Verification

Dockerfiles use apk add --allow-untrusted to bypass package signature validation, allowing installation of unsigned or tampered packages from potentially malicious or compromised repositories.

Repository Trust Configuration Issues

Container builds rely on untrusted or misconfigured APK repositories that lack proper signing keys, leading developers to disable signature verification to resolve build failures.

Fixes

1

Remove --allow-untrusted Flag

Remove --allow-untrusted from APK commands and use apk add --no-cache package without bypass flags to enforce signature verification and prevent installation of tampered packages.

2

Configure Trusted APK Repositories

Ensure /etc/apk/repositories contains only trusted HTTPS mirrors with valid signing keys in /etc/apk/keys, and configure builds to fail on signature verification errors.

3

Use Official Base Images

Start with official Alpine Linux base images that have properly configured package repositories and signing keys, ensuring a secure foundation for container builds.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution due to untrusted apk packages in dockerfile and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities