A security vulnerability has been found in specific versions of Docker Engine, which could potentially enable attackers to bypass authorization plugins and gain unauthorized access without proper authorization.
This vulnerability, known as CVE-2024-41110, is considered critical and has a CVSS score of 10, indicating that Docker users should address this issue promptly.
Docker is widely used for containerization, allowing developers to conveniently bundle applications with all the required components.
The Docker Engine, at its core, utilizes an authorization model that is all-or-nothing by default. Users who have access to the Docker daemon have the ability to execute any Docker command.
Adding authorization plugins (AuthZ) allows for greater control over requests, as they can be approved or denied based on specific criteria.
Unfortunately, a vulnerability has been discovered in Docker Engine that enables attackers to circumvent these plugins in specific situations.
More details on the vulnerability
The vulnerability was first identified in 2018. It involves sending a specially crafted API request to the Docker daemon with the Content-Length set to 0.
This request causes the Docker daemon to forward the request without the body to the AuthZ plugin, which might incorrectly approve it, leading to unauthorized actions and privilege escalation.
The issue was resolved in Docker Engine v18.09.1, which was released in January 2019. Unfortunately, this fix did not persist in subsequent versions, leading to a regression.
The vulnerability resurfaced in versions starting from v19.03 and was identified once more in April 2024. On July 23, 2024, patches were released to resolve the issue in the affected versions.
The affected versions include:
This vulnerability affects users of Docker Engine versions 19.03.x and newer who depend on authorization plugins for access control.
If you do not use AuthZ plugins, or if you use all versions of Mirantis Container Runtime, you are not affected.
Users of Docker’s commercial products and internal infrastructure that do not use AuthZ plugins are also safe.
Docker Desktop, a popular development tool, is also affected up to version 4.32.0, as it includes vulnerable versions of Docker Engine.
On the other hand, the risk is reduced as exploiting this vulnerability necessitates access to the Docker API.
Typically, an attacker would require physical access to the host machine, unless the Docker daemon is exposed in an insecure manner over TCP.
The default configuration of Docker Desktop does not come with AuthZ plugins, and any privilege escalation is confined to the Docker Desktop VM rather than the underlying host.
What you should do
In the upcoming Docker Desktop version 4.33, there will be an updated version of Docker Engine that has been patched.
If you are using an affected version of Docker Engine update to the latest patched version (v23.0.14, v27.1.0 and later).
If you are unable to update immediately, you should avoid using AuthZ plugins to ensure that the Docker API is not exposed over TCP without proper protection.
You should also restrict access to the Docker API to trusted parties only, following the principle of least privilege.