Docker: Critical Patch Issued for a 5-year Old Vulnerability Allowing Authorization Bypass
Discovery and Initial Fix
Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances. The flaw was initially discovered and fixed in Docker Engine v18.09.1, released in January 2019, but for some reason, the fix wasn’t carried forward in later versions, so the flaw resurfaced.
Rediscovery and Patch Release
This dangerous regression was identified only in April 2024, and patches were eventually released on July 23 for all supported Docker Engine versions. Although this left attackers a comfortable 5-year period to leverage the flaw, it is unclear if it was ever exploited in the wild to gain unauthorized access to Docker instances.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Nature of the Vulnerability
The flaw, now tracked under CVE-2024-41110, is a critical-severity (CVSS score: 10.0) issue that allows an attacker to send a specially crafted API request with a Content-Length of 0, to trick the Docker daemon into forwarding it to the AuthZ plugin. In typical scenarios, API requests include a body that contains the necessary data for the request, and the authorization plugin inspects this body to make access control decisions.
Impact of the Flaw
When the Content-Length is set to 0, the request is forwarded to the AuthZ plugin without the body, so the plugin cannot perform proper validation. This entails the risk of approving requests for unauthorized actions, including privilege escalation. CVE-2024-41110 affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control.
Trending: Deep Dive to Fuzzing for Maximum Impact
Trending: Recon Tool: FinalRecon
Who Is Affected?
Users who don’t rely on plugins for authorization, users of Mirantis Container Runtime, and users of Docker commercial products are not impacted by CVE-2024-41110, no matter what version they run. Patched versions impacted users are advised to move to as soon as possible are v23.0.14 and v27.1.0.
Impact on Docker Desktop
It is also noted that Docker Desktop’s latest version, 4.32.0, includes a vulnerable Docker Engine, but the impact is limited there as exploitation requires access to the Docker API, and any privilege escalation action would be limited to the VM. The upcoming Docker Desktop v4.33.0 will resolve the problem, but it has not been released yet.
Recommendations for Users
Users who cannot move to a safe version are advised to disable AuthZ plugins and restrict access to the Docker API only to trusted users.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
