A critical flaw in some versions of Docker Engine can be used to bypass authorization plugins (AuthZ) under certain circumstances.
A vulnerability, identified as CVE-2024-41110 (CVSS score 10.0), in some versions of Docker Engine could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances.
"An attacker could exploit the bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which may authorize the request incorrectly." the platform says. "Using a specially crafted API request, an Engine API client could cause the daemon to forward the request or response to an authorization plugin without the body. In some cases, the authorization plugin may allow a request that it would otherwise have rejected if the body had been forwarded to it."
A flaw discovered in 2018 allowed attackers to bypass authorization plugins (AuthZ) in Docker Engine using crafted API requests, potentially leading to unauthorized actions, including privilege escalation. The vulnerability was addressed with the release of Docker Engine v18.09.1, but was not included in subsequent major releases, causing a regression. This issue does not affect Docker EE v19.03.x or any version of the Mirantis Container Runtime.
The vulnerability was discovered in April 2024 and was addressed with the release of versions 23.0.14 and 27.1.0 on July 23, 2024. Below is the list of Docker Engine versions that are affected if the AuthZ plugin is used:
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3, and
- <= v27.1.0
Docker Engine v19.03.x and later versions are not affected if authorization plugins are not used for access control decisions. Likewise, all versions of the Mirantis Container Runtime are unaffected by the issue.
"Users of commercial Docker products and internal infrastructures that do not rely on AuthZ plugins are not affected," the advisory continues.
Docker Desktop up to version 4.32.0 includes vulnerable versions of Docker Engine. However, the risk is mitigated because the exploit requires access to the Docker API, which typically needs local access on the host machine. By default, Docker Desktop does not include AuthZ plugins, limiting privilege escalation to the Docker Desktop VM and not the underlying host. A patched version of Docker Engine is expected in Docker Desktop v4.33, which will address these security concerns.
Below are the recovery steps recommended by the Docker maintainers:
- Docker Engine update:
- If you are running an affected version, please update to the latest update
2, Attention in case of inability to inform immediately:
- Avoid using AuthZ plugins.
- Restrict access to the Docker API to trusted parties by following the principle of least privilege.
- Update Docker Desktop:
- If you are using an affected version, please update Docker Desktop 4.33 after it is released.
- Make sure no AuthZ plugins are used and don't expose the Docker API over unprotected TCP.
- Docker Business subscribers can use Configuration Manager to enforce secure settings.