Docker is warning of a important flaw impacting sure variations of Docker Engine that would enable an attacker to sidestep authorization plugins (AuthZ) underneath particular circumstances.
Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS rating of 10.0, indicating most severity.
“An attacker might exploit a bypass utilizing an API request with Content material-Size set to 0, inflicting the Docker daemon to ahead the request with out the physique to the AuthZ plugin, which could approve the request incorrectly,” the Moby Mission maintainers stated in an advisory.
Docker stated the difficulty is a regression in that the difficulty was initially found in 2018 and addressed in Docker Engine v18.09.1 in January 2019, however by no means bought carried over to subsequent variations (19.03 and later).
The problem has been resolved in variations 23.0.14 and 27.1.0 as of July 23, 2024, after the issue was recognized in April 2024. The next variations of Docker Engine are impacted assuming AuthZ is used to make entry management choices –
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3, and
- <= v27.1.0
“Customers of Docker Engine v19.03.x and later variations who don’t depend on authorization plugins to make entry management choices and customers of all variations of Mirantis Container Runtime should not weak,” Docker’s Gabriela Georgieva stated.
“Customers of Docker business merchandise and inside infrastructure who don’t depend on AuthZ plugins are unaffected.”
It additionally impacts Docker Desktop as much as variations 4.32.0, though the corporate stated the probability of exploitation is proscribed and it requires entry to the Docker API, necessitating that an attacker already has native entry to the host. A repair is predicted to be included in a forthcoming launch (model 4.33).
“Default Docker Desktop configuration doesn’t embody AuthZ plugins,” Georgieva famous. “Privilege escalation is proscribed to the Docker Desktop [virtual machine], not the underlying host.”
Though Docker makes no point out of CVE-2024-41110 being exploited within the wild, it is important that customers apply their installations to the newest model to mitigate potential threats.
Earlier this yr, Docker moved to patch a set of flaws dubbed Leaky Vessels that would allow an attacker to achieve unauthorized entry to the host filesystem and escape of the container.
“As cloud providers rise in reputation, so does using containers, which have grow to be an built-in a part of cloud infrastructure,” Palo Alto Networks Unit 42 stated in a report revealed final week. “Though containers present many benefits, they’re additionally inclined to assault strategies like container escapes.”
“Sharing the identical kernel and sometimes missing full isolation from the host’s user-mode, containers are inclined to numerous strategies employed by attackers in search of to flee the confines of a container surroundings.”
