A serious security vulnerability in Docker Engine recently received a patch, compelling users to rush for the updates. If exploited, the vulnerability could allow authorization plugins bypass, but only under certain conditions, which makes its exploitability relatively low. However, the severity of the flaw still requires users’ attention.
Docker Engine Vulnerability Exploit Possible ‘Under Specific Circumstances’
According to a recent advisory, a critical AuthZ bypass and privilege escalation vulnerability threatened the security of Docker Engine.
As explained, the vulnerability existed due to how an authorization plugin could allow a request that should otherwise be blocked. Hence, an attacker could exploit the flaw by sending a maliciously crafted API request, gaining elevated privileges.
An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
While Docker noticed this vulnerability in April 2024, the advisory further elaborated that this wasn’t a new issue. Instead, this security vulnerability first surfaced online in 2018, subsequently receiving a fix with Docker Engine v18.09.1 in January 2019. However, the patch didn’t appear in the subsequent releases, thus making the following versions vulnerable to the same security issue. Thus, Docker Engine v19.03 and newer versions are all vulnerable. Nonetheless, the advisory clarifies,
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
This vulnerability, CVE-2024-41110, received a critical severity rating with a CVSS score of 10.0. Upon noticing this issue, Docker patched the vulnerability with docker-ce v27.1.1 and released the patch with the 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.
Considering the severity of this security issue and the patch’s availability, it is imperative for all users to ensure updating to the latest fixed releases.
However, for cases where an immediate patch isn’t workable, Docker advised users to avoid using AuthZ plugins and restrict Docker API access to trusted parties only as temporary mitigations. Since this vulnerability exhibits low exploitability, users may consider deploying these mitigations until their systems are ready to receive the patched Docker Engine releases.
Let us know your thoughts in the comments.