Moby, an open-source project created by Docker, offers a platform for users to develop and run containerized applications. Recently, a security vulnerability (CVE-2024-41110) was discovered in specific versions of Docker Engine that could potentially allow an attacker to bypass authorization plugins (AuthZ) under certain conditions. The likelihood of this vulnerability being exploited is considered to be low. However, caution should be taken, and the appropriate actions should be implemented to mitigate potential risks.
Details of the Vulnerability (CVE-2024-41110)
CVE-2024-41110 details a specific security vulnerability where an attacker can exploit the Docker Engine API client by creating a specially-crafted API request. In doing so, the API daemon may forward the request or response to an authorization plugin without the proper body. Consequently, the authorization plugin may grant access to a request that it would have otherwise denied if the correct body had been forwarded to it.
Insight into a Past Issue
In 2018, a similar security issue was discovered (link to reference) that allowed an attacker to bypass AuthZ plugins utilizing a specially crafted API request. This vulnerability could result in unauthorized actions, including privilege escalation. Docker developers fixed the issue in the Docker Engine v18.09.1 release (link to reference) in January 2019. Unfortunately, the fix was not carried forward into subsequent major versions of Docker Engine, leading to a regression in security.
Potentially Impacted Users
If you depend on authorization plugins that need to inspect the request and/or response body to make access control decisions, you are potentially impacted by this vulnerability. Keep in mind that Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable to this issue.
Solution and Patches
To address this vulnerability, upgrade to docker-ce v27.1.1, or a version containing a patch for the issue. The patches are merged into the master, 19.03, 20., 23., 24., 25., 26., and 26.1 release branches (link to patches).
Temporary Mitigation
If upgrading to a patched version is not possible at the moment, an alternative mitigation method is to avoid using AuthZ plugins and restrict access to the Docker API. This can be done by following the principle of least privilege and allowing access only to trusted parties.
Code Snippet Example
The following hypothetical code snippet illustrates a specially-crafted API request that could exploit this vulnerability:
curl -v -X POST -H "Content-Type: application/json" \
-d '{"Image": "malicious-image", "Cmd": ["privileged-command"]}' \
http://localhost:2375/container/create?name=example-container
Conclusion
CVE-2024-41110 is a security vulnerability in certain versions of Docker Engine that could potentially allow attackers to bypass authorization plugins (AuthZ) with a specially-crafted API request. Docker users that rely on AuthZ plugins, which introspect the request and/or response body to make access control decisions, are potentially impacted. To mitigate the risks associated with this vulnerability, it is advised to upgrade to docker-ce v27.1.1 or a version containing a patch for the issue. Temporarily, users can avoid using AuthZ plugins and restrict access to the Docker API to trusted parties.
Timeline
Published on: 07/24/2024 17:15:11 UTC
Last modified on: 07/30/2024 20:15:04 UTC