Docker has issued safety updates to handle a serious vulnerability impacting positive variations of Docker Engine that would permit an attacker to avoid authorization plugins (AuthZ) beneath positive instances.
The flaw was once to begin with came upon and stuck in Docker Engine v18.09.1, launched in January 2019, however for some reason why, the repair wasn’t carried ahead in later variations, so the flaw resurfaced.
This unhealthy regression was once known most effective in April 2024, and patches had been ultimately launched as of late for all supported Docker Engine variations.
Regardless that this left attackers a relaxed 5-year length to leverage the flaw, it’s unclear if it was once ever exploited within the wild to realize unauthorized get right of entry to to Docker circumstances.
A 5 12 months previous flaw
The flaw, now tracked beneath CVE-2024-41110, is a critical-severity (CVSS rating: 10.0) factor that permits an attacker to ship a specifically crafted API request with a Content material-Period of 0, to trick the Docker daemon into forwarding it to the AuthZ plugin.
In conventional situations, API requests come with a frame that accommodates the essential knowledge for the request, and the authorization plugin inspects this frame to make get right of entry to keep an eye on selections.
When the Content material-Period is ready to 0, the request is forwarded to the AuthZ plugin with out the frame, so the plugin can not carry out right kind validation. This includes the chance of approving requests for unauthorized movements, together with privilege escalation.
CVE-2024-41110 impacts Docker Engine variations as much as v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for customers who use authorization plugins for get right of entry to keep an eye on.
Customers who do not depend on plugins for authorization, customers of Mirantis Container Runtime, and customers of Docker industrial merchandise don’t seem to be impacted by way of CVE-2024-41110, it doesn’t matter what model they run.
Patched variations impacted customers are urged to transport to once conceivable are v23.0.14 and v27.1.0.
Additionally it is famous that Docker Desktop’s newest model, 4.32.0, features a inclined Docker Engine, however the affect is restricted there as exploitation calls for get right of entry to to the Docker API, and any privilege escalation motion can be restricted to the VM.
The approaching Docker Desktop v4.33.0 will unravel the issue, but it surely has no longer been launched but.
Customers who can not transfer to a protected model are urged to disable AuthZ plugins and prohibit get right of entry to to the Docker API most effective to depended on customers.
