CVE-2024-41110: Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

HawkEye Cyber Fusion Center

Background

Docker released an advisory on July 23, 2024, addressing a vulnerability in the authorization plugins (AuthZ) used to control access. Both Docker Desktop and Docker Engine are impacted by the vulnerability.

The vulnerability that has been identified pertains to AuthZ bypass and possible privilege escalation. It was first identified several years ago, however it has surfaced again because of a regression.

Regressions happen when a vulnerability that has been resolved in one version of the software shows up in another, usually as a result of upgrades or changes that inadvertently bring the issue back. In this instance, the security vulnerability reappeared since the initial fix was left out of later releases, as noted in Docker’s alert.

CVE-2024-41110:

The Docker AuthZ vulnerability, known as CVE-2024-41110 (CVSS: 10), is a critical vulnerability in Docker’s authorization process that poses serious security risks.

Docker’s access control is improved via authorization plugins (AuthZ), which grant or reject requests based on context and authentication. Users having access to the Docker daemon can run any command without AuthZ.

This vulnerability, which was found in 2018, allows attackers to get around AuthZ plugins by crafting specially constructed API calls. The Docker daemon sends the request without the body to the AuthZ plugin by setting the Content-Length to 0. If the AuthZ plugin approves the request, it could result in unlawful activities such as privilege escalation.

January 2019 saw the initial release of Docker Engine v18.09.1, which addressed the vulnerability. Nevertheless, a regression occurred since the fix was absent from Docker Engine v19.03 and subsequent releases.

Since July 23, 2024, patches have been released for the vulnerability, which was uncovered in April of that same year.

Affected versions:

AuthZ access control users running Docker Engine versions 19.03.x and above are vulnerable to CVE-2024-41110; users running older Docker Engine versions or not utilizing AuthZ plugins are not. Below is a list of the exact versions that were affected:

 

Affected versionsPatched versions
<= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4, <= v27.0.3, <= v27.1.0> v23.0.14, > v27.1.0

Recommendations

All impacted users are urged by Docker to update Docker Engine to the most recent version right away. Versions other than v23.0.14 and v27.1.0 have the CVE-2024-41110 patch installed.

If an upgrade is not possible right away, use the least privilege principle to limit access to the Docker API to trusted parties and temporarily disable AuthZ plugins.

Additionally, Docker advises against removing AuthZ plugins and then opening the Docker API over TCP unprotected. To enforce secure settings, Docker Business subscribers can use Settings Management.

References

  • https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment