Docker is warning of a critical flaw affecting some versions of Docker Engine that may allow an attacker to bypass authorization plugins (AuthZ) in specific situations.
Identified as CVE-2024-41110, this vulnerability enables bypass and privilege escalation, with a CVSS score of 10.0 indicating maximum severity.
“An attacker could leverage a bypass using an API request with Content-Length set to 0, prompting the Docker daemon to forward the request without the body to the AuthZ plugin, potentially leading to an incorrect approval of the request,” stated the Moby Project maintainers in an advisory.
Docker has acknowledged this as a regression, as the issue was initially discovered in 2018 and resolved in Docker Engine v18.09.1 in January 2019, but was not carried over to subsequent versions (19.03 and later).
This issue has been fixed in versions 23.0.14 and 27.1.0 as of July 23, 2024, following its identification in April 2024. The impacted versions of Docker Engine include the following, assuming AuthZ is utilized for access control decisions –
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3, and
- <= v27.1.0
“Users of Docker Engine v19.03.x and newer versions who do not rely on authorization plugins for access control decisions, as well as users of all Mirantis Container Runtime versions, are not vulnerable,” stated Docker’s Gabriela Georgieva said.
“Users of Docker commercial products and internal infrastructure not employing AuthZ plugins are not impacted.”
Docker Desktop is also affected up to version 4.32.0, but the likelihood of exploitation is low and requires access to the Docker API, assuming the attacker already has local host access. A fix is anticipated in an upcoming release (version 4.33).
“Default Docker Desktop configuration does not include AuthZ plugins,” noted Georgieva. “Privilege escalation is confined to the Docker Desktop [virtual machine], not the underlying host.”
While Docker has not reported any instances of CVE-2024-41110 exploitation in the wild, it is crucial for users to update their installations to the latest version to mitigate potential risks.
Earlier this year, Docker addressed a set of vulnerabilities known as Leaky Vessels that could allow unauthorized access to the host filesystem and breakout from the container.
“As cloud services and container usage increase, so does the potential for attacks, including container escapes,” highlighted Palo Alto Networks Unit 42 in a report released recently. “Containers offer many benefits but are also susceptible to attack techniques like container escapes.”
“With a shared kernel and often lacking complete isolation from the host’s user-mode, containers are vulnerable to various attack techniques aimed at breaking out of the container environment.”
