A critical security vulnerability [1] [5] [7], identified as CVE-2024-41110 and with a maximum severity CVSS score of 10.0, affects certain versions of Docker Engine [2] [3] [4].
Description
This flaw allows attackers to bypass authorization plugins by sending a specially crafted API request with a Content-Length of 0 [1] [5], manipulating AuthZ to approve unauthorized requests and leading to unauthorized access to systems. Initially discovered in 2018 and patched in Docker Engine v18.09.1 [2] [3] [4], the vulnerability resurfaced in later versions, including v19.03.x and Docker Desktop up to v4.32.0. Users of affected versions are advised to update to Docker Engine versions 23.0.14 and 27.1.0 to mitigate potential threats. The exploit requires access to the Docker API and local access to the host [4]. Despite being vulnerable for some time [3], Docker states that the bug’s exploitability remains low, especially for users not relying on authorization plugins [4]. Docker Desktop is also affected, with a fix expected in version 4.33 [4]. The risk is lower for Docker Desktop due to the absence of AuthZ plugins and limited privilege escalation to the Docker Desktop VM [8]. Users relying on authorization plugins introspecting request/response bodies for access control decisions may be impacted [6]. Docker EE v19.03.x and Mirantis Container Runtime are not vulnerable [6]. Docker has released patches to address the vulnerability [2] [7], emphasizing the importance of regular security updates and vigilance in container environments [7]. To mitigate the risk [2], it is recommended to avoid using AuthZ plugins and restrict access to the Docker API to trusted parties [2].
Conclusion
The impact of this vulnerability can lead to unauthorized access to systems, emphasizing the importance of updating to secure versions of Docker Engine. Mitigations include avoiding AuthZ plugins and restricting access to the Docker API [2]. Future implications highlight the need for regular security updates and vigilance in container environments.
References
[1] https://gridinsoft.com/blogs/docker-engine-authentication-bypass/
[2] https://digital.nhs.uk/cyber-alerts/2024/cc-4530
[3] https://www.csoonline.com/article/3477530/docker-re-fixes-a-critical-authorization-bypass-vulnerability.html
[4] https://thehackernews.com/2024/07/critical-docker-engine-flaw-allows.html
[5] https://www.blackhatethicalhacking.com/news/docker-critical-patch-issued-for-a-5-year-old-vulnerability-allowing-authorization-bypass/
[6] https://www.tenable.com/cve/CVE-2024-41110
[7] https://cybersecuritynews.com/critical-docker-vulnerability-bypass-authentication/
[8] https://www.helpnetsecurity.com/2024/07/25/cve-2024-41110/