Critical Vulnerability in Docker Engine, AuthZ Plugin Bypass
Report by Matthew Fagan with Joan Young and Moustafa Galal, Access Point Consulting
Summary
A security advisory was released by Docker detailing a vulnerability (CVE-2024-41110) in its Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances. The issue was fixed in the January 2019 version 18.09.01 of the Docker Engine but was not included in v19.03 or newer versions. The patch was re-released on July 23, 2024.
The Vulnerability
This is a AuthZ bypass and privilege escalation vulnerability, in which an attacker can bypass an AuthZ plugin using an API request of length 0 (i.e., anempty request). In certain scenarios, the Docker Engine daemon can forward the request, which might be approved incorrectly. This can lead to unauthorized actions such as privilege escalation.
Impact
Those using Docker Engine 19.03.x and later versions and relying upon authorization plugins for access control decisions are affected by this vulnerability, and users who do not have a reliance upon the authorization plugins to make access control decisions are not affected. Additionally, users of any Marantis Container Runtime and users of Docker commercial products and internal infrastructure that are not reliant on AuthZ plugin aren’t exposed to this vulnerability.
Docker states that Docker Desktop versions up to v2.32.0 includes affected versions of Docker Engine but that the impact for Docker Desktop is limited compared to production environments. Docker Desktop v4.33 will include a patched version of the Docker Engine. Updating to version 4.33 is advised. See the release notes for the download.
Recommended by LinkedIn
Remediation
Docker Engine, which is a platform for container application development, is used with a variety of operating systems. Docker has detailed documentation on supported platforms as well as installation guides. Browse to the Install section of the Docker documentation, and scroll to your operating system to access the update method for your environment.
Recommendations
Patch: Patch Docker Engine and Docker Desktop; this will ensure remediation of the vulnerability.
Migrate: If unable to patch, Docker recommends that you avoid using the AuthZ plugin and restrict Docker API access to to trusted parties only.
Do not expose the Docker API over TCP without protections in place such as a VPN or network segmentation.
Priority: The priority to patch this vulnerability should be on a normal cadence because there is no evidence of exploitation and a low likelihood of exploitation.
Test: It is paramount to test application upgrades before they are sent to a production environment. Ensure that the patch has no side effects or bugs before deploying.