July 25, 2024 at 09:49AM
Docker warns users to patch their Docker Engine due to a critical vulnerability (CVE-2024-41110) present for five years. This bug allows attackers to exploit authorization plugins, potentially leading to privilege escalation and unintended commands execution. While the likelihood of exploitation is low, the severity score is high, and affected users are advised to upgrade to safe versions.
Based on the meeting notes, here are the key takeaways:
– Docker has identified a near-maximum severity vulnerability (CVE-2024-41110) in Docker Engine that has been present for five years, allowing for privilege escalation when using authorization plugins (AuthZ).
– Vulnerable versions from 19.03 and newer are susceptible to exploitation through specially crafted API requests with a body’s Content-Length set to 0, which can lead to unintended commands being executed, potentially resulting in privilege escalation for attackers.
– The severity score of the vulnerability is high, with a CVSS assessment indicating it’s a low-complexity attack that requires low-level privileges and no user interaction. The potential impact on confidentiality, integrity, and availability is also high.
– Docker recommends users upgrade to versions > v23.0.14 and > v27.1.0 to mitigate the vulnerability. Users not relying on authorization plugins or using Mirantis Container Runtime are not vulnerable.
– A fix for Docker Desktop is forthcoming in v4.33, with Docker stating that the impact is expected to be less severe than in production environments. The vulnerability would require local access to the machine or the Docker daemon exposed over TCP for an attacker to exploit.
– Even if an attacker had the necessary access, privilege escalation would be limited to the Docker Desktop VM and not the host.
Please let me know if there is anything else I can help with.