Critical Docker Engine Flaw Enables Authorization Plugin Bypass
A critical vulnerability was identified in certain versions of Docker Engine that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. Docker has recently released security updates to address this vulnerability.
This vulnerability, tracked as CVE-2024-41110, was first discovered and patched in Docker Engine v18.09.1, which was released in January 2019. However, due to a lapse in the continuity of this fix, the vulnerability resurfaced in later versions of Docker Engine. This dangerous regression went unnoticed until April 2024, when it was rediscovered, prompting Docker to release patches for all supported versions of Docker Engine.
Vulnerability Details
CVE-2024-41110 is classified as a critical-severity issue with a CVSS score of 10.0. The vulnerability exploits the way Docker Engine handles API requests. Specifically, an attacker can send a specially crafted API request with a Content-Length of 0, tricking the Docker daemon into forwarding the request to the AuthZ plugin without a body.
Under normal circumstances, API requests include a body containing the necessary data for the request, which the authorization plugin uses to make access control decisions. When the Content-Length is set to 0, the request bypasses proper validation by the plugin, potentially approving unauthorized actions, including privilege escalation.
Impacted Versions and Users
CVE-2024-41110 affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0. Users relying on authorization plugins for access control are particularly vulnerable.
However, not all users are at risk:
- Users who do not use plugins for authorization.
- Users of Mirantis Container Runtime.
- Users of Docker commercial products.
For those impacted, it is crucial to update to the patched versions, v23.0.14 and v27.1.0, as soon as possible.
For users unable to immediately update to a safer version, it is advisable to:
- Disable AuthZ plugins.
- Restrict access to the Docker API only to trusted users.
Additionally, the latest version of Docker Desktop, 4.32.0, also includes a vulnerable Docker Engine. Nevertheless, the impact is somewhat limited since exploitation requires access to the Docker API, and any potential privilege escalation is confined to the virtual machine (VM). Docker has announced that the forthcoming Docker Desktop v4.33.0 will fully address this vulnerability, though this update is not yet available for download.
Conclusion
This five-year old flaw highlights the critical importance of maintaining robust and continuous security practices in software development and deployment. Docker users are urged to apply the necessary updates promptly and review their security configurations to mitigate the risk of unauthorized access. By taking these steps, users can protect their Docker environments from potential exploitation and ensure the integrity of their systems.
The sources for this article include a story from BleepingComputer.