www.belgium.be Logo of the federal government

WARNING: AUTHZ PLUGIN BYPASS IN DOCKER ENGINE, CVE-2024-41110 PATCH IMMEDIATELY!

Reference: 
Advisory #2024-115
Version: 
1.0
Affected software: 
Docker Engine
Type: 
Authorization bypass
CVE/CVSS: 

CVE-2024-41110
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Sources

https://www.docker.com/blog/docker-security-advisory-docker-engine-authz...

Risks

A significant security vulnerability has been identified in certain versions of Docker Engine, potentially allowing attackers to bypass authorization plugins (AuthZ) under specific circumstances. Docker Engine is widely used for containerization, making it a valuable target for threat actors seeking unauthorized access or privilege escalation. While the base likelihood of this vulnerability being exploited is low, the impact on business continuity and system security can be substantial.

Organizations using affected Docker Engine versions should urgently update their software to mitigate these risks and prevent potential unauthorized access or privilege escalation that could severely disrupt operations.

Description

CVE-2024-41110: Docker Engine AuthZ Plugin Bypass and Privilege Escalation (9.9 Critical)

A regression in Docker Engine versions v19.03.x and later has reintroduced a vulnerability initially fixed in v18.09.1. This vulnerability allows an attacker to bypass AuthZ plugins using a specially crafted API request where the Content-Length is set to 0. This causes the Docker daemon to forward the request without its body to the AuthZ plugin, potentially leading to unauthorized actions and privilege escalation.

Affected Versions: <= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4, <= v27.0.3, <= v27.1.0

Patched Versions: > v23.0.14, > v27.1.0

Not affected: Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable. Also users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected.

Impact on Docker Desktop:

Docker Desktop up to v4.32.0 includes affected Docker Engine versions. But the impact is limited compared to production environments.

Since exploitation requires Docker API access, this typically means the attacker needs local access to the host machine, unless the Docker daemon is exposed over TCP. Also default configurations do not include AuthZ plugins. And privilege escalation is limited to the Docker Desktop VM, not the underlying host.

However a patched version of Docker Engine will be included in Docker Desktop v4.33 and we recommend you update when possible.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. If unable to update immediately: Avoid using AuthZ plugins and restrict access to the Docker API to trusted parties only, following the principle of least privilege.

Monitor/Detect

Regularly check the vendor's advisory for updates and stay informed on potential security issues.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

 

References