Login Sign Up

CVE-2022-24961

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Portainer Agent versions before 2.11.1 contain a vulnerability where the API server continues running even after losing connection to the Portainer management instance for several days. This allows unauthorized access to Docker environments managed by Portainer. Organizations using Portainer Agent for container management are affected.

💻 Affected Systems

Products:
  • Portainer Agent
Versions: All versions before 2.11.1
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Portainer Agent, not Portainer Server. Requires Portainer Agent to have been disconnected from Portainer instance for several days.

📦 What is this software?

Portainer by Portainer

View all CVEs affecting Portainer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over Docker environments, allowing container escape, data exfiltration, lateral movement, and complete infrastructure compromise.

🟠

Likely Case

Unauthorized users access Docker APIs to deploy malicious containers, manipulate existing containers, or steal sensitive data from containerized applications.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to isolated container environments rather than full infrastructure compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to Portainer Agent API endpoint. No authentication needed once agent loses connection to Portainer.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1

Vendor Advisory: https://github.com/portainer/agent/compare/2.11.0...2.11.1

Restart Required: Yes

Instructions:

1. Update Portainer Agent to version 2.11.1 or later. 2. Restart the Portainer Agent service. 3. Verify connection to Portainer Server is re-established.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Portainer Agent API endpoints using firewall rules

iptables -A INPUT -p tcp --dport 9001 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 9001 -j DROP

Regular Connection Monitoring

all

Implement monitoring to detect when Portainer Agent loses connection to Portainer Server

systemctl status portainer-agent
docker logs portainer_agent_container

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach Portainer Agent endpoints
  • Monitor for unauthorized Docker API calls and container deployments from unexpected sources

🔍 How to Verify

Check if Vulnerable:

Check Portainer Agent version and verify if it's running without active connection to Portainer Server for several days

Check Version:

docker inspect portainer_agent | grep -i version

Verify Fix Applied:

Confirm Portainer Agent version is 2.11.1 or later and agent automatically stops when disconnected from Portainer

📡 Detection & Monitoring

Log Indicators:

  • Portainer Agent logs showing 'no active connection to Portainer'
  • Docker API calls from unauthorized IP addresses
  • Unexpected container creation events

Network Indicators:

  • TCP connections to Portainer Agent port 9001 from unexpected sources
  • Docker API requests without proper authentication

SIEM Query:

source="portainer-agent" AND ("disconnected" OR "no connection") AND time>3d

📊 Metadata

CVE ID: CVE-2022-24961
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON