Docker is warning of a vital flaw impacting sure variations of Docker Engine that would enable an attacker to sidestep authorization plugins (AuthZ) below particular circumstances.
Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS rating of 10.0, indicating most severity.
“An attacker may exploit a bypass utilizing an API request with Content material-Size set to 0, inflicting the Docker daemon to ahead the request with out the physique to the AuthZ plugin, which could approve the request incorrectly,” the Moby Venture maintainers mentioned in an advisory.
Docker mentioned the difficulty is a regression in that the difficulty was initially found in 2018 and addressed in Docker Engine v18.09.1 in January 2019, however by no means bought carried over to subsequent variations (19.03 and later).
The problem has been resolved in variations 23.0.14 and 27.1.0 as of July 23, 2024, after the issue was recognized in April 2024. The next variations of Docker Engine are impacted assuming AuthZ is used to make entry management selections –
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3, and
- <= v27.1.0
“Customers of Docker Engine v19.03.x and later variations who don’t depend on authorization plugins to make entry management selections and customers of all variations of Mirantis Container Runtime are usually not susceptible,” Docker’s Gabriela Georgieva mentioned.
“Customers of Docker business merchandise and inner infrastructure who don’t depend on AuthZ plugins are unaffected.”
It additionally impacts Docker Desktop as much as variations 4.32.0, though the corporate mentioned the probability of exploitation is restricted and it requires entry to the Docker API, necessitating that an attacker already has native entry to the host. A repair is anticipated to be included in a forthcoming launch (model 4.33).
“Default Docker Desktop configuration doesn’t embody AuthZ plugins,” Georgieva famous. “Privilege escalation is restricted to the Docker Desktop [virtual machine], not the underlying host.”
Though Docker makes no point out of CVE-2024-41110 being exploited within the wild, it is important that customers apply their installations to the most recent model to mitigate potential threats.
Earlier this yr, Docker moved to patch a set of flaws dubbed Leaky Vessels that would allow an attacker to achieve unauthorized entry to the host filesystem and escape of the container.
“As cloud companies rise in reputation, so does the usage of containers, which have change into an built-in a part of cloud infrastructure,” Palo Alto Networks Unit 42 mentioned in a report revealed final week. “Though containers present many benefits, they’re additionally vulnerable to assault methods like container escapes.”
“Sharing the identical kernel and sometimes missing full isolation from the host’s user-mode, containers are vulnerable to numerous methods employed by attackers looking for to flee the confines of a container setting.”
