Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances.
The flaw was initially discovered and fixed in Docker Engine v18.09.1, released in January 2019, but for some reason, the fix wasn’t carried forward in later versions, so the flaw resurfaced.
This dangerous regression was identified only in April 2024, and patches were eventually released today for all supported Docker Engine versions.
Though this left attackers a comfortable 5-year period to leverage the flaw, it is unclear if it was ever exploited in the wild to gain unauthorized access to Docker instances.
A five year old flaw
The flaw, now tracked under CVE-2024-41110, is a critical-severity (CVSS score: 10.0) issue that allows an attacker to send a specially crafted API request with a Content-Length of 0, to trick the Docker daemon into forwarding it to the AuthZ plugin.
In typical scenarios, API requests include a body that contains the necessary data for the request, and the authorization plugin inspects this body to make access control decisions.
When the Content-Length is set to 0, the request is forwarded to the AuthZ plugin without the body, so the plugin cannot perform proper validation. This entails the risk of approving requests for unauthorized actions, including privilege escalation.
CVE-2024-41110 affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control.
Users who don’t rely on plugins for authorization, users of Mirantis Container Runtime, and users of Docker commercial products are not impacted by CVE-2024-41110, no matter what version they run.
Patched versions impacted users are advised to move to as soon as possible are v23.0.14 and v27.1.0.
It is also noted that Docker Desktop’s latest version, 4.32.0, includes a vulnerable Docker Engine, but the impact is limited there as exploitation requires access to the Docker API, and any privilege escalation action would be limited to the VM.
The upcoming Docker Desktop v4.33.0 will resolve the problem, but it has not been released yet.
Users who cannot move to a safe version are advised to disable AuthZ plugins and restrict access to the Docker API only to trusted users.
