Docker is warning users to rev their Docker Engine into patch mode after it realized a near-maximum severity vulnerability had been sticking around for five years.

Now tracked as CVE-2024-41110, the privilege escalation bug was originally discovered in 2018 and patched in January 2019's version 18.09.1. However, the fix wasn't carried over in the following updates, meaning versions from 19.03 and newer remained vulnerable.

The vulnerability lies in Docker's use of authorization plugins (AuthZ) for greater access control. They're used to approve and deny requests, and do so through information provided to them in the body, which is assessed to make validation decisions.

Attackers could exploit the vulnerability by sending a specially crafted API request with the body's Content-Length set to 0. Without a body, the AuthZ plugin is fed no information that can be used to inform an authorization request.

By sending a body-less request, an attacker can force the Docker Engine API client to forward that request to an authorization plugin, which may, in error, approve a request that would have been denied if the body content was forwarded to it.

This can lead to unintended commands being executed that can lead to consequences like attackers escalating their privileges.

Docker says the likelihood of this attack being exploited is low, but the vulnerability's CVSS assessment indicates it's a low-complexity attack that requires low-level privileges and no user interaction.

The potential impact on confidentiality, integrity, and availability is all "high," and together this has contributed to an overall severity score of 9.9, according to the National Vulnerability Database. A separate advisory from the open source Moby project assessed this to be a perfect 10 score, however.

Docker recommends that users upgrade to the safe versions: > v23.0.14 and > v27.1.0. 

If you're running a version that's affected but do not rely on authorization plugins, you're not vulnerable to CVE-2024-41110, and neither are Mirantis Container Runtime users.

For those running Docker Desktop, a fix is coming in v4.33, but the impact is thought to be less severe than in production environments, Docker said.

To access the Docker API, which is crucial for an exploit, the attacker would already need to have local access to the machine, or have the Docker daemon exposed over TCP. Although vulnerable versions of Docker Engine are in the latest Docker Desktop release, the default Desktop configuration doesn't rely on AuthZ plugins.

Even if the above conditions were working in an attacker's favor, privilege escalation would also only be limited to the Docker Desktop VM and not the host. ®

https://www.theregister.com//2024/07/25/5yo_docker_vulnerability/