Docker has issued an urgent security bulletin with fixes for a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances.
The vulnerability, tagged as CVE-2024-41110 with a CVSS severity score of 10/10, was originally found and fixed in 2018 but inexplicably, a January 2019 patch was not carried forward to later major versions, resulting in a regression.
“Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted,” Docker warned.
“Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it,” according to the advisory.
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said.
Affected versions include Docker Engine versions <= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4, <= v27.0.3, and <= v27.1.0. Patched versions are > v23.0.14 and > v27.1.0.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
Docker said commercial products and internal infrastructures that do not use AuthZ plugins are also unaffected.
According to the bulletin, Docker Desktop up to v4.32.0 includes affected versions of Docker Engine, but the impact is limited compared to production environments. Exploitation requires access to the Docker API, meaning the attacker usually needs local access to the host machine unless the Docker daemon is insecurely exposed over TCP.
The default configuration of Docker Desktop does not include AuthZ plugins, and privilege escalation is confined to the Docker Desktop VM, not the underlying host. A patched version of Docker Engine is planned for inclusion in Docker Desktop v4.33.
Related: Docker Hub Users Targeted With Imageless, Malicious Repositories
Related: Leaky Vessels’ Container Escape Vulnerabilities Impact Docker, Others
Related: MySQL Servers, Docker Hosts Infected With DDoS Malware
Related: Analysis of 4 Million Docker Images Shows Half Have Critical Vulnerabilities