Docker has issued security updates to deal with a essential vulnerability impacting sure variations of Docker Engine that might permit an attacker to bypass authorization plugins (AuthZ) below sure circumstances.
The flaw was initially found and stuck in Docker Engine v18.09.1, launched in January 2019, however for some motive, the repair wasn’t carried ahead in later variations, so the flaw resurfaced.
This harmful regression was recognized solely in April 2024, and patches had been finally launched at present for all supported Docker Engine variations.
Although this left attackers a snug 5-year interval to leverage the flaw, it’s unclear if it was ever exploited within the wild to achieve unauthorized entry to Docker situations.
A 5 yr previous flaw
The flaw, now tracked below CVE-2024-41110, is a critical-severity (CVSS rating: 10.0) concern that permits an attacker to ship a specifically crafted API request with a Content material-Size of 0, to trick the Docker daemon into forwarding it to the AuthZ plugin.
In typical eventualities, API requests embody a physique that incorporates the required information for the request, and the authorization plugin inspects this physique to make entry management choices.
When the Content material-Size is about to 0, the request is forwarded to the AuthZ plugin with out the physique, so the plugin can’t carry out correct validation. This entails the chance of approving requests for unauthorized actions, together with privilege escalation.
CVE-2024-41110 impacts Docker Engine variations as much as v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for customers who use authorization plugins for entry management.
Customers who do not depend on plugins for authorization, customers of Mirantis Container Runtime, and customers of Docker business merchandise usually are not impacted by CVE-2024-41110, it doesn’t matter what model they run.
Patched variations impacted customers are suggested to maneuver to as quickly as attainable are v23.0.14 and v27.1.0.
Additionally it is famous that Docker Desktop’s newest model, 4.32.0, features a weak Docker Engine, however the affect is proscribed there as exploitation requires entry to the Docker API, and any privilege escalation motion could be restricted to the VM.
The upcoming Docker Desktop v4.33.0 will resolve the issue, but it surely has not been launched but.
Customers who can’t transfer to a secure model are suggested to disable AuthZ plugins and prohibit entry to the Docker API solely to trusted customers.
