Skip to main content

Docker Releases Security Advisory for Docker Engine

A critical vulnerability could allow an attacker to bypass authorisation plugins

Threat ID:
CC-4530
Threat Severity:
Medium
Published:
25 July 2024 3:01 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A critical vulnerability could allow an attacker to bypass authorisation plugins

Threat details

Introduction

Docker has released a security advisory addressing a vulnerability in Moby, a software package that contains the core containerisation code for Docker Engine (docker-ce). Docker Engine is an open-source containerisation technology for building and containerising applications, which allows for rapid deployment on a system-agnostic architecture. AuthZ plugins allow administrators to implement access controls in the Docker daemon, which are not available by default.

CVE-2024-41110 has a CVSSv3 score of 10.0 and could lead to privilege escalation. An attacker could send a specifically-crafted API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly. 

Impact on Docker Desktop

Docker has stated:

  • Docker Desktop up to v4.32.0 includes affected versions of Docker Engine.
  • The impact for Docker Desktop is limited compared to production environments.
    • Exploitation requires access to the Docker API, which usually means the attacker needs to already have local access to the host machine, unless the Docker daemon is insecurely exposed over TCP.
    • Default Docker Desktop configuration does not include AuthZ plugins.
    • Privilege escalation is limited to the Docker Desktop VM, not the underlying host.
  • A patched version of Docker Engine will be included in Docker Desktop v4.33.

Remediation advice

Affected organisations are encouraged to review the Docker security blog post and Moby GitHub advisory GHSA-v23v-6jw2-98fq and apply any relevant updates.

If an organisation is using v19.0, v20.0, v23.0, v24.0, v25.0, v26.0, v26.1, or the 'master' branch of Docker, they are strongly encouraged to update to version v27.1.1. A fix for CVE-2024-41110 has been merged into these branches, however these have not been packaged into a release at this time. 

CVE Vulnerabilities

Status Published

CVE-2024-41110

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.

Last edited: 25 July 2024 3:01 pm