Docker Sha1 Checksum Verification
Description
Detects the use of cryptographically weak hash algorithms (like MD5, SHA1, RIPEMD) for checksum verification in Docker files. Using weak hashing algorithms for integrity verification can allow attackers to generate hash collisions, potentially enabling malicious package substitution.
Detection Strategy
• Search Docker configuration files for RUN commands
• Check if the RUN command contains weak hash algorithm names (md5sum, sha1sum, etc.) followed by '-c' flag
• Specifically looks for: hmacmd5, sha1sum, hmacripemd, dsa, md2sum, md4sum, haval, ripemd, md5sum, sha1
• The hash command must be used with the '-c' flag indicating checksum verification
• Reports vulnerability when a RUN instruction uses any of these weak algorithms for checksum verification
Vulnerable code example
# Download and verify go package with insecure SHA1 hash
RUN wget -O myfile.tar.gz https://example.com/myfile.tar.gz
# Vulnerable: Using SHA1 for checksum verification which is cryptographically broken
RUN echo "a40216e7c028e7d77f1aec22d2bbd5f9 myfile.tar.gz" | sha1sum -c
# Another vulnerable verification using SHA1
RUN sha1sum -c myfile.tar.gz.sha1✅ Secure code example
# Download and verify go package with secure SHA256 hash
RUN wget -O myfile.tar.gz https://example.com/myfile.tar.gz
# Secure: Using SHA256 for cryptographic verification instead of broken SHA1
RUN echo "5a9ebcc65c1cce56e0d2dc616aff4c4cedcfbda8cc6f0288cc08cda3b18dcbf1 myfile.tar.gz" | sha256sum -c
# For additional security, can also verify GPG signature if available
# RUN wget -O myfile.tar.gz.asc https://example.com/myfile.tar.gz.asc
# RUN gpg --verify myfile.tar.gz.asc myfile.tar.gzSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.