A Critical Flaw in Docker Engine Permits Attackers to Circumvent Authorization Plugins

Docker has issued a warning about a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins (AuthZ) under specific conditions.

Identified as CVE-2024-41110, this vulnerability has a CVSS score of 10.0, the highest possible severity rating.

According to an advisory from the Moby Project maintainers, the vulnerability can be exploited by an attacker sending an API request with the Content-Length set to 0. This causes the Docker daemon to forward the request without the body to the AuthZ plugin, which might then approve the request incorrectly.

Docker revealed that this issue is a regression, originally discovered and fixed in Docker Engine v18.09.1 in January 2019, but not carried over to subsequent versions (19.03 and later).

As of July 23, 2024, the flaw has been fixed in versions 23.0.14 and 27.1.0, following its identification in April 2024. The affected versions of Docker Engine, assuming AuthZ is used for access control decisions, include:

• <= v19.03.15
• <= v20.10.27
• <= v23.0.14
• <= v24.0.9
• <= v25.0.5
• <= v26.0.2
• <= v26.1.4
• <= v27.0.3
• <= v27.1.0

Docker’s Gabriela Georgieva noted that users of Docker Engine v19.03.x and later who do not use authorization plugins for access control, as well as all users of Mirantis Container Runtime, are not vulnerable. Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are also unaffected.

The flaw also impacts Docker Desktop up to version 4.32.0, though the likelihood of exploitation is limited as it requires access to the Docker API, meaning the attacker would need local access to the host. A fix is expected in the upcoming version 4.33.

Georgieva mentioned that the default Docker Desktop configuration does not include AuthZ plugins, and any privilege escalation would be confined to the Docker Desktop virtual machine, not the underlying host.

While there is no indication that CVE-2024-41110 has been exploited in the wild, users are advised to update to the latest version to mitigate potential threats.

Earlier this year, Docker addressed a set of vulnerabilities known as Leaky Vessels, which could allow attackers to gain unauthorized access to the host filesystem and escape from containers.

Palo Alto Networks Unit 42 highlighted the increasing popularity of cloud services and containers, noting that while containers offer many advantages, they are also vulnerable to attacks like container escapes due to shared kernels and incomplete isolation from the host’s user mode.