Docker finally fixes a critical security flaw that could have allowed for account hijack

Docker
(Image credit: Flickr)

Five years ago, Docker fixed a critical-severity vulnerability in Docker Engine that allowed threat actors to bypass authorization plugins and escalate privileges on flawed instances.

However, one of the newer versions, released after the patch, re-introduced the flaw, which apaprently remained present in Docker Engine until only recently. 

The bug was given a new CVE and a new patch, but we don’t know if anyone found it, and abused it, in the five years since then.

Disabling AuthZ

The vulnerability is now tracked as CVE-2024-41110, and has a perfect vulnerability score of 10/10. All versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control, were said to be vulnerable.

Those that don’t use plugins for authorization, those that use Mirantis Container Runtime, and those using Docker commercial products, are not affected by the vulnerability, regardless of the Docker Engine version they use, it was said. The earliest patched versions are v23.0.14 and v27.1.0.

Docker Desktop 4.32.0, the latest version, was also said to be vulnerable, but the impact is apparently limited, since exploiting the flaw requires access to the docker API, and any escalation of privilege would only be limited to the virtual machine. 

Docker Desktop v4.33.0 will address this issue as well, but it hasn’t been published yet. 

Those who are unable to apply the patch at this time should disable AuthZ plugins, and restrict access to the Docker API to only those users they trust, the company concluded. 

Docker is a platform for developing, shipping, and running applications using containerization technology. It allows developers to package applications and their dependencies into containers, ensuring consistency across various environments. The platform has 13 million of users worldwide, including individual developers, small businesses, and large enterprises.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.