Critical Authentication Bypass Flaw Addressed in Docker

July 24, 2024

Docker has implemented security updates to rectify a critical vulnerability that could potentially allow an attacker to bypass authorization plugins under specific circumstances. This flaw, which was first identified and corrected in Docker Engine v18.09.1, released in January 2019, was not carried forward in later versions, leading to its recurrence. The flaw was only rediscovered in April 2024, and patches have now been released for all supported Docker Engine versions.

This lapse left a window of five years for potential attackers to exploit the flaw, although it remains uncertain whether it was ever used for unauthorized access to Docker instances. The flaw, now designated as CVE-2024-41110, is a critical-severity issue that allows an attacker to send a specially crafted API request with a Content-Length of 0, thereby tricking the Docker daemon into forwarding it to the AuthZ plugin.

Ordinarily, API requests include a body containing the necessary data for the request, which the authorization plugin inspects to make access control decisions. However, when the Content-Length is set to 0, the request is forwarded to the AuthZ plugin without the body, preventing the plugin from performing proper validation. This could potentially allow unauthorized actions, including privilege escalation.

CVE-2024-41110 affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control. However, users who do not rely on plugins for authorization, users of Mirantis Container Runtime, and users of Docker commercial products are not affected by this vulnerability, regardless of the version they use.

Users are advised to switch to patched versions v23.0.14 and v27.1.0 as soon as possible. It's also worth noting that the latest version of Docker Desktop, 4.32.0, includes a vulnerable Docker Engine, but the impact is limited as exploitation requires access to the Docker API, and any privilege escalation action would be limited to the VM. The upcoming Docker Desktop v4.33.0 will address the issue, but it has not been released yet. Users unable to upgrade to a secure version are advised to disable AuthZ plugins and limit access to the Docker API only to trusted users.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.