Critical Docker Engine Vulnerability Bypasses Authorization Plugins

July 25, 2024

Docker has issued a warning about a critical vulnerability affecting certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) in certain situations. This vulnerability, registered as CVE-2024-41110, is a bypass and privilege escalation issue with a CVSS score of 10.0, indicating its severe nature. The Moby Project maintainers explained in an advisory, "An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly."

The problem is a regression, meaning it was a previously addressed issue that resurfaced in later versions. It was first discovered in 2018 and fixed in Docker Engine v18.09.1 in January 2019. However, the fix wasn't carried over to subsequent versions (19.03 and later). The issue was identified again in April 2024 and resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024. Docker Engine versions using AuthZ for access control decisions are affected.

Docker's Gabriela Georgieva clarified, "Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable." She further added that users of Docker commercial products and internal infrastructure who do not depend on AuthZ plugins are not affected. The flaw also impacts Docker Desktop up to versions 4.32.0, though the company stated that the chance of exploitation is low and requires access to the Docker API, implying that an attacker would need local access to the host. A fix is anticipated in the upcoming release (version 4.33).

Georgieva noted, "Default Docker Desktop configuration does not include AuthZ plugins. Privilege escalation is limited to the Docker Desktop [virtual machine], not the underlying host." While Docker hasn't reported any instances of CVE-2024-41110 being exploited in the wild, it's crucial for users to update their installations to the latest version to mitigate potential threats. Earlier this year, Docker patched a series of vulnerabilities known as Leaky Vessels that could allow an attacker to gain unauthorized access to the host filesystem and escape the container.

A report published last week by Palo Alto Networks Unit 42 highlighted the growing popularity of cloud services and the consequent use of containers, stating, "Although containers provide many advantages, they are also susceptible to attack techniques like container escapes." The report further elaborated on the vulnerabilities of containers due to their shared kernel and often incomplete isolation from the host's user-mode.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.