Docker finally fixes a critical security flaw that could have allowed account hijacking
Five years ago, Docker fixed a critical vulnerability in Docker Engine that allowed attackers to bypass authorization plugins and escalate privileges on bugged instances.
However, one of the newer versions that came out after the patch reintroduced the bug. Apparently, it was still in Docker Engine until recently.
The bug got a new CVE and a new patch, but we don’t know if anyone found and exploited the bug in the five years since.
Disable AuthZ
The vulnerability is now tracked as CVE-2024-41110 and has a perfect vulnerability score of 10/10. All versions up to and including v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control, were considered vulnerable.
Those who do not use plugins for authorization, those who use Mirantis Container Runtime, and those who use commercial Docker products are not affected by the vulnerability, regardless of the Docker Engine version they are using, it said. The earliest patched versions are v23.0.14 and v27.1.0.
Docker Desktop 4.32. 0, the latest version, is also said to be vulnerable, but the impact appears to be limited. Exploiting the flaw requires access to the Docker API, and any privilege escalation would be limited to the virtual machine.
Docker Desktop v4.33.0 also fixes this issue, but has not yet been released.
People who cannot apply the patch at this time should disable AuthZ plugins and restrict access to the Docker API to only users they trust, the company concluded.
Docker is a platform for developing, shipping, and running applications using containerization technology. It allows developers to package applications and their dependencies in containers, ensuring consistency across environments. The platform has 13 million users worldwide, including individual developers, small businesses, and large enterprises.
Through BleepingComputer