Guidance on CVE-2018-15664 for Azure IoT Edge
Updated: July 24, 2019
Microsoft has built a new version of the Moby container runtime, v3.0.6, that includes an update to address a recently reported vulnerability, CVE-2018-15664. We recommend that you update the container runtime on your IoT Edge device even though it does not affect standard IoT Edge devices. The product does not use the ‘docker cp’ command which is the point of attack; however it’s possible that advanced scenarios are vulnerable. Modules that have been created with elevated privileges and a mounted docker socket are at a higher risk.
More information on this vulnerability can be found here.
Use the following instructions, as applicable, to update Moby.
Linux Debian-based X64 (.deb):
- Follow the instructions to register to Microsoft key and software repository feed.
- sudo apt-get update
- sudo apt-get install moby-engine
Linux CentOS-based X64 (.rpm):
- curl -L https://aka.ms/moby-engine-x86_64-rpm-latest -o moby-engine-3.0.6-centos.x86_64.rpm
- sudo yum install -y ./moby-engine-3.0.6-centos.x86_64.rpm
Linux Debian-based ARM32 (for example, Raspberry Pi):
- curl -L https://aka.ms/moby-engine-armhf-latest -o moby-engine_3.0.6_armhf.deb
- sudo dpkg -i ./moby-engine_3.0.6_armhf.deb
Please update Docker Engine (18.09.7 or more recent) if you're testing or developing with Docker instead of the Microsoft built moby-engine.
Windows is not affected.