CVE-2020-24263
📋 TL;DR
CVE-2020-24263 is an insecure permissions vulnerability in Portainer that allows non-admin users to create Docker containers with dangerous capabilities like SYS_MODULE. This can lead to complete compromise of the Docker host system. All Portainer installations with non-admin users are affected.
💻 Affected Systems
- Portainer
📦 What is this software?
Portainer by Portainer
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Docker host allowing attackers to install kernel modules, escalate privileges, and gain persistent access to the underlying infrastructure.
Likely Case
Attackers with non-admin Portainer access can escape container isolation and gain root privileges on the Docker host, potentially accessing other containers and sensitive data.
If Mitigated
With proper access controls and network segmentation, impact is limited to the specific Portainer instance and its associated containers.
🎯 Exploit Status
Exploitation requires authenticated access to Portainer as a non-admin user. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Portainer 1.24.2 and later
Vendor Advisory: https://github.com/portainer/portainer/issues/4105
Restart Required: Yes
Instructions:
1. Backup your Portainer data. 2. Stop the Portainer container. 3. Pull the latest Portainer image: docker pull portainer/portainer:latest. 4. Restart Portainer with your existing configuration.
🔧 Temporary Workarounds
Restrict Non-Admin Access
allRemove all non-admin users from Portainer until patching is complete
# Remove non-admin users via Portainer UI or API
# Or disable Portainer entirely if not needed
Docker Daemon Hardening
linuxConfigure Docker daemon to restrict dangerous capabilities
# Edit /etc/docker/daemon.json
{
"default-ulimits": {},
"authorization-plugins": [],
"log-driver": "json-file",
"disable-legacy-registry": true,
"icc": false,
"live-restore": true,
"userland-proxy": false,
"seccomp-profile": "/etc/docker/seccomp/default.json"
}
🧯 If You Can't Patch
- Remove all non-admin user accounts from Portainer immediately
- Implement network segmentation to isolate Portainer from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Portainer version in the web interface or run: docker inspect portainer | grep -i versionCheck Version:
docker inspect portainer | grep -i versionVerify Fix Applied:
Verify version is 1.24.2 or later and test that non-admin users cannot create containers with SYS_MODULE capability📡 Detection & Monitoring
Log Indicators:
- Non-admin users creating containers with elevated capabilities
- Containers being created with SYS_MODULE or other dangerous capabilities
- Unusual container creation patterns from non-admin accounts
Network Indicators:
- Unexpected outbound connections from Docker host to external IPs
- Unusual network traffic patterns from containers
SIEM Query:
source="portainer" AND (event="container_create" OR event="container_start") AND user_role="non-admin" AND capabilities="*SYS_MODULE*"