Docker has released crucial updates addressing a critical vulnerability in Docker Engine that could allow attackers to bypass authorization plugins (AuthZ). This issue has a low likelihood of being exploited, but all Docker installations need to upgrade to the latest versions immediately. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not affected.
CVE-2024-41110: AuthZ Plugin Bypass and Privilege Escalation
What is the issue? An attacker can exploit this vulnerability using an API request with Content-Length set to 0. This causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially allowing unauthorized actions.
Severity: Critical (CVSS score: 10.0)
Impact: Unauthorized users could escalate privileges, gaining access to sensitive assets such as cloud tokens, Kubernetes service accounts, and other privileged identities, leading to unauthorized control over critical infrastructure.
Affected Versions
Affected Versions | Patched Versions |
<= v19.03.15 | > v19.03.15 |
<= v20.10.27 | > v20.10.27 |
<= v23.0.14 | > v23.0.14 |
<= v24.0.9 | > v24.0.9 |
<= v25.0.5 | > v25.0.5 |
<= v26.0.2 | > v26.0.2 |
<= v26.1.4 | > v26.1.4 |
<= v27.0.3 | > v27.0.3 |
<= v27.1.0 | > v27.1.0 |
Who is Impacted?
- Impacted Users: Docker Engine users (v19.03.x and later) who rely on AuthZ plugins for access control.
- Not Impacted Users: Those who do not use AuthZ plugins or use Mirantis Container Runtime.
Impact on Docker Desktop
- Versions: Up to v4.32.0 are affected.
- Exploitation: Requires access to the Docker API, typically local access unless the Docker daemon is insecurely exposed over TCP, the default configuration doesn’t include AuthZ plugins by default.
- Privilege Escalation: Limited to Docker Desktop VM, not the host.
- Patch: Included in Docker Desktop v4.33.
Patches and Remediation Steps
- Docker-CE v27.1.1: Contains patches to fix the vulnerability.
- Patches are merged into master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 branches.
Immediate Actions:
- Update Docker Engine: Ensure you are running the most recent patched version.
- Mitigation if unable to update immediately:
- Avoid using AuthZ plugins.
- Restrict Docker API access to trusted parties, following the principle of least privilege.
Code Snippet
To understand the potential exploitation, consider the following example where an attacker might send an API request with Content-Length set to 0:
import requests
url = 'http://docker-daemon:2375/containers/create'
headers = {'Content-Type': 'application/json', 'Content-Length': '0'}
response = requests.post(url, headers=headers)
print(response.status_code)
print(response.text)
Copied
In this scenario, the Docker daemon forwards the request to the AuthZ plugin without the body, possibly bypassing the intended authorization checks.
How Upwind Protects Against Docker Vulnerabilities
Upwind Cloud Security Platform offers several solutions to mitigate Docker vulnerabilities:
- Locate Vulnerable Packages: Use Upwind’s SBOM explorer to search and identify vulnerable Docker Engine packages.
- View Resource Impact: Identify all resources affected by CVE-2024-41110, including cloud accounts, clusters, pods, namespaces, VMs, and resources.
- Prioritize At-Risk Resources: Assess and prioritize the impact on your environment, focusing on resources with additional risk factors such as internet exposure, database connections, secrets, or sensitive data.
- Prioritize Package Upgrades: Generate a list of vulnerable resources that should be prioritized for updates using the recommended fixes.
Get Further Assistance
If you need further assistance with protecting your environment from CVE-2024-41110, you can reach out to an Upwind specialist directly at [email protected].