Major Docker Engine Vulnerability Enables Intruders to Circumvent Authorization Plugins
Docker has raised an alert about a significant vulnerability affecting particular editions of Docker Engine, which could empower an attacker to evade authorization plugins (AuthZ) in specific contexts.
Identified as CVE-2024-41110, this loophole and privilege elevation weakness is rated with a CVSS score of 10.0, signifying the utmost severity level.
“By sending an API request with Content-Length set to 0, an intruder can exploit this loophole, causing the Docker daemon to transmit the request without the body to the AuthZ plugin, potentially leading to improper approval of the request,” as stated by the Moby Project maintainers in their advisory.
Docker revealed that this issue represents a retrogression since it was initially spotted in 2018 and rectified in Docker Engine v18.09.1 back in January 2019; however, the resolution was not carried forward to subsequent releases (19.03 and later).
This concern has been addressed in versions 23.0.14 and 27.1.0 as of July 23, 2024, following the detection of the issue in April 2024. The impacted versions of Docker Engine include those that utilize AuthZ for access control decisions –
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3, and
- <= v27.1.0
“Users running Docker Engine v19.03.x and subsequent versions who do not rely on authorization plugins for access control determinations, and users of all Mirantis Container Runtime versions, are not at risk,” mentioned Gabriela Georgieva from Docker stated.
“Those employing Docker commercial products and internal infrastructure without depending on AuthZ plugins remain unaffected.”
The vulnerability also affects earlier versions of Docker Desktop up to 4.32.0; nevertheless, the company affirmed that the chances of exploitation are minimal and demand access to the Docker API, mandating that the attacker already has local host access. A remedy is anticipated to be integrated into an upcoming release (version 4.33).
“The default Docker Desktop configuration excludes AuthZ plugins,” pointed out Georgieva. “Privilege escalation is restricted to the Docker Desktop virtual machine, not the underlying host.”
While there are no reports of CVE-2024-41110 being exploited in the wild by Docker, it is essential for users to update to the most recent version to lessen probable risks.
Earlier this year, Docker took action to rectify a group of vulnerabilities known as Leaky Vessels that could grant an unauthorized party access to the host file system and breakout from the container.
“With the rise in cloud service adoption, the utilization of containers, which has become an integral part of cloud infrastructure, has also increased,” indicated Palo Alto Networks Unit 42 in a report published last week. “Although containers offer various benefits, they are susceptible to attack methods like container escapes.”
“Containers are vulnerable to a range of techniques employed by attackers striving to break free from the boundaries of a container environment as they share the same kernel and often lack complete isolation from the host’s user-mode.”
About Author
