Docker re-fixes a critical authorization bypass vulnerability

Open source containerization platform Docker has urged users to patch a critical vulnerability affecting certain versions of the Docker Engine that allows privilege escalation using specially crafted API requests.

Tagged as CVE-2024-41110, the vulnerability was first discovered in 2018 and was assigned a CVSS score of 10/10. Although the flaw was fixed by Docker shortly, later versions did not receive the patch, according to a Docker security advisory.

“In 2018, a security issue was discovered where an attacker could bypass authorization plugins (AuthZ),” said Docker’s Gabriela Georgia in a blog post. “Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later versions, resulting in a regression.”

Anyone depending on the AuthZ plugins to process access requests and responses is potentially impacted, Docker added in the advisory.

AuthZ bypass and privilege escalation

Under Docker’s default “all or nothing” authorization model, users with Docker daemon access can execute any Docker commands, Gabriela explained. AuthZ can be used to exercise granular access control based on authentication and command context.

In certain circumstances, the AuthZ can be manipulated to approve unauthorized requests using specially crafted API requests.

“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory.

The AuthZ plugin would have otherwise denied the request if the body had been forwarded to it, the company added.

Low exploitability

The vulnerability was initially fixed in a January 2019 rollout, Docker Engine v18.09.1. However, subsequent rollouts including Docker Engine v19.03 and newer versions did not include the fix, leading to regression.

“This was identified in April 2024 and patches were released for the affected versions on July 23, 2024,” the company added. “The issue was assigned CVE-2024-41110.”

Despite systems being vulnerable for a long time since the initial patch was applied, Docker assured the exploitability for the bug remained on the lower side. “The base likelihood of this being exploited is low,” Georgieva added. Docker, nevertheless, cautioned users to apply patches available now, particularly because the issue scored “Low” on the CVSS base ratings for “Attack complexity” and “Privileges required”. Remediation steps for the affected versions include updating to the most recent version, and (if updating isn’t possible) avoiding the use of AuthZ plugins and restricting access to the Docker API to trusted parties only.