Security

Patches

You should probably fix this 5-year-old critical Docker vuln fairly sharpish

For some unknown reason, initial patch was omitted from later versions


Docker is warning users to rev their Docker Engine into patch mode after it realized a near-maximum severity vulnerability had been sticking around for five years.

Now tracked as CVE-2024-41110, the privilege escalation bug was originally discovered in 2018 and patched in January 2019's version 18.09.1. However, the fix wasn't carried over in the following updates, meaning versions from 19.03 and newer remained vulnerable.

The vulnerability lies in Docker's use of authorization plugins (AuthZ) for greater access control. They're used to approve and deny requests, and do so through information provided to them in the body, which is assessed to make validation decisions.

Attackers could exploit the vulnerability by sending a specially crafted API request with the body's Content-Length set to 0. Without a body, the AuthZ plugin is fed no information that can be used to inform an authorization request.

By sending a body-less request, an attacker can force the Docker Engine API client to forward that request to an authorization plugin, which may, in error, approve a request that would have been denied if the body content was forwarded to it.

This can lead to unintended commands being executed that can lead to consequences like attackers escalating their privileges.

Docker says the likelihood of this attack being exploited is low, but the vulnerability's CVSS assessment indicates it's a low-complexity attack that requires low-level privileges and no user interaction.

The potential impact on confidentiality, integrity, and availability is all "high," and together this has contributed to an overall severity score of 9.9, according to the National Vulnerability Database. A separate advisory from the open source Moby project assessed this to be a perfect 10 score, however.

Docker recommends that users upgrade to the safe versions: > v23.0.14 and > v27.1.0. 

If you're running a version that's affected but do not rely on authorization plugins, you're not vulnerable to CVE-2024-41110, and neither are Mirantis Container Runtime users.

For those running Docker Desktop, a fix is coming in v4.33, but the impact is thought to be less severe than in production environments, Docker said.

To access the Docker API, which is crucial for an exploit, the attacker would already need to have local access to the machine, or have the Docker daemon exposed over TCP. Although vulnerable versions of Docker Engine are in the latest Docker Desktop release, the default Desktop configuration doesn't rely on AuthZ plugins.

Even if the above conditions were working in an attacker's favor, privilege escalation would also only be limited to the Docker Desktop VM and not the host. ®

Send us news
Post a comment

Ransomware criminals love CISA's KEV list – and that's a bug, not a feature

1 in 3 entries are used to extort civilians, says new paper

Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time

Boffins poked around inside censorship engines – here's what they found

Docker delays Hub pull limits by a month, tweaks maximums, stalls storage billing indefinitely

Image fetches to be capped on hourly basis for Personal, unauthenticated use, paid-for plans get unlimited access

MITRE Caldera security suite scores perfect 10 for insecurity

Is a trivial remote-code execution hole in every version part of the training, or?

Critical flaws in Mongoose library expose MongoDB to data thieves, code execution

Bugs fixed, updating to the latest version is advisable

FreSSH bugs undiscovered for years threaten OpenSSH security

Exploit code now available for MitM and DoS attacks

Critical PostgreSQL bug tied to zero-day attack on US Treasury

High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further

Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps

Plus: SEC launches new crypto crime unit; Phishing toolkit upgraded; and more

Harassment allegations against DEF CON veteran detailed in court filing

More than a dozen women came forward with accusations

Trump’s DoD CISO pick previously faced security clearance suspension

Hey, at least Katie Arrington brings a solid resume

Does terrible code drive you mad? Wait until you see what it does to OpenAI's GPT-4o

Model was fine-tuned to write vulnerable software – then suggested enslaving humanity

Signal will withdraw from Sweden if encryption-busting laws take effect

Experts warned the UK’s recent 'victory' over Apple would kickstart something of a domino effect