SOCRadar® Cyber Intelligence Inc. | Docker Fixed an AuthZ Bypass Flaw Leading to Privilege Escalation: CVE-2024-41110
Table Of Content
Home

Resources

Blog
Jul 24, 2024
4 Mins Read

Docker Fixed an AuthZ Bypass Flaw Leading to Privilege Escalation: CVE-2024-41110

On July 23, 2024, Docker issued an advisory regarding a security vulnerability in the authorization plugins (AuthZ), used for access control. The vulnerability affects Docker Engine, as well as Docker Desktop.

Docker Engine, an open-source containerization technology, allows developers to build and package applications efficiently.

Docker Engine, an open-source containerization technology, allows developers to build and package applications efficiently.

The identified vulnerability involves an AuthZ bypass and potential privilege escalation, initially discovered years ago but resurfacing due to a regression.

A regression occurs when a previously fixed security issue reappears in later versions, often due to changes or updates that unintentionally reintroduce the problem. In this case, Docker’s advisory highlights that the initial fix was not included in subsequent versions, leading to the re-emergence of this security flaw.

What Is CVE-2024-41110?

Identified as CVE-2024-41110 (CVSS: 10), the Docker AuthZ vulnerability represents a critical regression in Docker’s authorization mechanism, leading to significant security issues.

Authorization plugins (AuthZ) enhance Docker’s access control by approving or denying requests based on authentication and context. Without AuthZ, users with Docker daemon access can execute any command.

Discovered in 2018, this vulnerability lets attackers bypass AuthZ plugins with specially crafted API requests. By setting the Content-Length to 0, the Docker daemon sends the request without the body to the AuthZ plugin, which may approve it, subsequently leading to unauthorized actions like privilege escalation.

The vulnerability was initially fixed in Docker Engine v18.09.1 in January 2019. However, the fix was not included in Docker Engine v19.03 and later versions, resulting in a regression.

The issue was rediscovered in April 2024, and patches are available since July 23, 2024.

Which Docker Versions Are Affected by CVE-2024-41110?

Docker Engine users from version 19.03.x onward who utilize AuthZ for access control are vulnerable to CVE-2024-41110, while those who are not using AuthZ plugins or running older Docker Engine versions remain unaffected. The specific versions impacted are listed below:

  • <= v19.03.15
  • <= v20.10.27
  • <= v23.0.14
  • <= v24.0.9
  • <= v25.0.5
  • <= v26.0.2
  • <= v26.1.4
  • <= v27.0.3
  • <= v27.1.0

How to Fix the Vulnerability in Docker

Docker urges all affected users to update Docker Engine to the latest version immediately. The patch for CVE-2024-41110 is included in versions later than v23.0.14 and v27.1.0.

If an immediate update is not possible, temporarily disable AuthZ plugins and restrict Docker API access to trusted parties only, adhering to the principle of least privilege.

Docker also cautions against exposing the Docker API over TCP without protection after disabling AuthZ plugins. Docker Business subscribers can use Settings Management to enforce secure settings.

Is Docker Desktop Impacted by CVE-2024-41110?

Docker Desktop is affected by CVE-2024-41110, though some mitigating factors exist.

Docker Desktop versions up to v4.32.0 include vulnerable versions of Docker Engine. However, the impact on Docker Desktop is less severe than in production environments.

Exploiting this vulnerability in Docker Desktop requires access to the Docker API, usually needing local access to the machine unless the daemon is insecurely configured. Additionally, Docker Desktop’s default setup does not include AuthZ plugins.

Despite these mitigations, updating to Docker Desktop version 4.33 is recommended once available, as it will include a patched version of Docker Engine.

For more details on CVE-2024-41110, see the official Docker advisory.

Manage Security Vulnerabilities with SOCRadar’s Vulnerability Intelligence

Your organization can efficiently manage security vulnerabilities using SOCRadar’s Vulnerability Intelligence.

SOCRadar’s Vulnerability Management

SOCRadar’s Vulnerability Management

Here are the key benefits of the Vulnerability Intelligence module:

  • Stay informed about the latest exploitation trends and emerging CVEs to safeguard your systems against potential cyber threats.
  • Access extensive details on identified CVEs, including new exploits, mentions, and related threat actors.
  • Filter and search for vulnerabilities by product, vendor, and other tags, enabling a targeted and efficient vulnerability management strategy.

Related Articles
SOCRadar® Cyber Intelligence Inc. | Critical Security Updates for Cisco Smart Licensing Utility & Key Veeam Products
Critical Security Updates for Cisco Smart Licensing Utility & Key Veeam Products
Sep 05, 2024
SOCRadar® Cyber Intelligence Inc. | Telegram’s Uncertain Future: Hacktivist Reactions and the Potential Shift to New Platforms
Telegram’s Uncertain Future: Hacktivist Reactions and the Potential Shift to New Platforms
Sep 05, 2024
SOCRadar® Cyber Intelligence Inc. | VMware Fusion Receives Fix for a Severe Code Execution Vulnerability, CVE-2024-38811
VMware Fusion Receives Fix for a Severe Code Execution Vulnerability, CVE-2024-38811
Sep 04, 2024
SOCRadar® Cyber Intelligence Inc. | Exploits Released for Critical Flaws in WhatsUp Gold and Jenkins, Patch Now (CVE-2024-6670, CVE-2024-43044)
Exploits Released for Critical Flaws in WhatsUp Gold and Jenkins, Patch Now (CVE-2024-6670, CVE-2024-43044)
Sep 02, 2024
SOCRadar® Cyber Intelligence Inc. | Pre-Auth RCE Vulnerability in Apache OFBiz (CVE-2024-38856) Is Under Active Exploitation, CISA Warns
Pre-Auth RCE Vulnerability in Apache OFBiz (CVE-2024-38856) Is Under Active Exploitation, CISA Warns
Aug 28, 2024