Docker fixes critical auth bypass flaw, again (CVE-2024-41110)
A critical-severity Docker Engine vulnerability (CVE-2024-41110) may be exploited by attackers to bypass authorization plugins (AuthZ) via specially crafted API request, allowing them to perform unauthorized actions, including privilege escalation.
About CVE-2024-41110
CVE-2024-41110 is a vulnerability that can be exploited remotely, without any user interaction, and even the attack complexity is low.
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker Senior Security Engineer Gabriela Georgieva explained.
“Docker’s default authorization model is all-or-nothing. Users with access to the Docker daemon can execute any Docker command.”
The vulnerability affects users of Docker Engine v19.03.x and later versions who rely on authorization plugins to make access control decisions. It also impacts (in a limited manner) users of Docker Desktop versions up to v4.32.0, as they also include affected versions of Docker Engine.
To exploit the flaw in Docker Desktop, attackers need to have access to the Docker API, “which usually means the attacker needs to already have local access to the host machine, unless the Docker daemon is insecurely exposed over TCP,” Georgieva added.
Finally, the exploitation risk and potential is lesser because the default Docker Desktop configuration does not include AuthZ plugins, and privilege escalation is limited to the Docker Desktop VM.
What should impacted users do?
Docker Engine users are advised to upgrade the version they are running to either version v23.0.14 or v27.1.0 (or later). If they can’t do so immediately, they are advised to avoid using AuthZ plugins, and restrict access to the Docker API only to trusted parties.
Users of Docker Desktop must wait for a version with the fix (v4.33) to be released. “Ensure AuthZ plugins are not used and do not expose the Docker API over TCP without protection,” Georgieva urged.
The interesting thing about CVE-2024-41110 is that it is an issue that has been fixed in January 2019 in Docker Engine v18.09.1 but, for untold reasons, the fix was not carried forward to later versions.
While the vulnerability is severe, Georgieva says that “the base likelihood of this being exploited is low.” It is unclear whether the issue had been exploited in the intervening five years.