Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine

Certain versions of Docker Engine have a security vulnerability that could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Problem

Docker’s default authorization model is all-or-nothing. Users with access to the Docker daemon can execute any Docker command. For greater access control, authorization plugins (AuthZ) can be used. These plugins approve or deny requests to the Docker daemon based on authentication and command context.

In 2018, a security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later versions, resulting in a regression.

Vulnerability details

• AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectlyif not set to deny by default.
• Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019.
• Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.

Affected versions

Who is impacted?

• Users of Docker Engine v19.03.x and later versions who rely on authorization plugins to make access control decisions.

Who is not impacted?

• Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable.
• Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected.

Impact on Docker Desktop

• Docker Desktop up to v4.32.0 includes affected versions of Docker Engine.
• The impact for Docker Desktop is limited compared to production environments.
  • Exploitation requires access to the Docker API, which usually means the attacker needs to already have local access to the host machine, unless the Docker daemon is insecurely exposed over TCP.
  • Default Docker Desktop configuration does not include AuthZ plugins.
  • Privilege escalation is limited to the Docker Desktop VM, not the underlying host.
• A patched version of Docker Engine is included in Docker Desktop 4.33.

Remediation steps

1. Update Docker Engine:

• If you are running an affected version, update to the most recent patched version.

2. Mitigation if unable to update immediately:

• Avoid using AuthZ plugins.
• Restrict access to the Docker API to trusted parties, following the principle of least privilege.

3. Update Docker Desktop:

• If using an affected version, update to Docker Desktop 4.33 .
• Ensure AuthZ plugins are not used and do not expose the Docker API over TCP without protection.
• Docker Business subscribers can use Settings Management to enforce secure settings.

Learn more