CVE-2024-41110 in Engine
Summary
by MITRE • 07/24/2024
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/14/2024
CVE-2024-41110 represents a critical regression in Docker Engine's authorization plugin handling mechanism that undermines security controls established for containerized environments. This vulnerability specifically affects the Moby project's implementation of the Docker Engine API, where authorization plugins are designed to inspect and control access to container operations through request and response body analysis. The flaw enables attackers to craft malicious API requests that bypass authorization checks by omitting request/response bodies during plugin forwarding, effectively creating a security bypass condition that could allow unauthorized actions including privilege escalation.
The technical nature of this vulnerability stems from a design regression that was initially addressed in Docker Engine v18.09.1 in January 2019, but the fix was subsequently lost in later major version releases. This regression occurs when Engine API clients send specially crafted requests that cause the daemon to forward authorization plugin calls without including the body content. The authorization plugins, which were designed to make access control decisions based on complete request/response data, may incorrectly grant access when they only receive partial information. This vulnerability operates under CWE-284 Access Control Issues, specifically targeting improper authorization mechanisms within container orchestration platforms.
The operational impact of CVE-2024-41110 extends beyond simple access control bypass to potentially enable complete privilege escalation within containerized environments. Organizations relying on authorization plugins for security enforcement face significant risk as attackers can exploit this vulnerability to perform unauthorized container operations, access sensitive data, and potentially compromise entire container clusters. The low likelihood of exploitation rating does not diminish the severity of potential consequences, as this vulnerability affects core security controls that are fundamental to container security architectures. This vulnerability maps to ATT&CK technique T1078 Valid Accounts and T1548.003 Abuse Elevation Control Mechanism, representing a critical weakness in the authorization infrastructure.
The vulnerability affects Docker Engine versions prior to v27.1.1, with specific patches implemented across multiple release branches including master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1, ensuring that the fix is comprehensive across the affected codebase. Docker Enterprise Edition v19.03.x and all versions of Mirantis Container Runtime remain unaffected by this particular regression, indicating that the vulnerability is specific to certain code paths within the Docker CE implementation. Organizations unable to immediately upgrade should implement compensating controls such as restricting Docker API access to trusted parties and avoiding reliance on authorization plugins that depend on request/response body inspection for access control decisions. This aligns with the principle of least privilege and represents a critical defensive measure until full patch deployment can be achieved.
Security practitioners should recognize this vulnerability as a regression that highlights the importance of maintaining consistent security controls across software version updates and the potential for previously addressed issues to re-emerge in new contexts. The vulnerability demonstrates the complexity of maintaining security in rapidly evolving container platforms and underscores the necessity of thorough regression testing for security controls. Organizations with extensive Docker deployments should conduct immediate assessments to determine their exposure and implement appropriate mitigations while planning for the necessary version upgrades to ensure complete protection against this authorization bypass vulnerability.