CVE-2022-26659 – This vulnerability allows attackers to overwrit... (How to Fix)

Q: What is the severity of CVE-2022-26659?

CVE-2022-26659 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to overwrite administrator-writable files on Windows systems by exploiting a symlink vulnerability in Docker Desktop installer log file handling. Attackers can create symbolic links where the installer writes logs, redirecting output to sensitive system files. Only affects Docker Desktop for Windows versions before 4.6.0.

📋 TL;DR

This vulnerability allows attackers to overwrite administrator-writable files on Windows systems by exploiting a symlink vulnerability in Docker Desktop installer log file handling. Attackers can create symbolic links where the installer writes logs, redirecting output to sensitive system files. Only affects Docker Desktop for Windows versions before 4.6.0.

💻 Affected Systems

Products:

Docker Desktop for Windows

Versions: All versions before 4.6.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Requires Docker Desktop installer to be run with elevated privileges.

📦 What is this software?

Docker Desktop by Docker

View all CVEs affecting Docker Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite leading to privilege escalation, malware persistence, or system configuration corruption.

🟠

Likely Case

Local privilege escalation allowing attackers to modify system files, install malware, or tamper with system configurations.

🟢

If Mitigated

Minimal impact if proper access controls prevent non-administrators from creating symlinks in installer directories.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: MEDIUM - Internal attackers with user-level access could exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to create symbolic links. Public proof-of-concept available in GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.0 and later

Vendor Advisory: https://docs.docker.com/desktop/windows/release-notes/

Restart Required: Yes

Instructions:

1. Download Docker Desktop 4.6.0 or later from official Docker website. 2. Run the installer with administrative privileges. 3. Follow installation prompts. 4. Restart system if prompted.

🔧 Temporary Workarounds

Restrict symbolic link creation

windows

Configure Windows security policies to restrict non-administrator users from creating symbolic links in sensitive directories.

Use Group Policy Editor (gpedit.msc) to configure symbolic link policies under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Monitor installer directory

windows

Implement file system monitoring on Docker installer directories to detect symlink creation attempts.

Use Windows Event Log monitoring or third-party security tools to watch for symlink creation in %PROGRAMFILES%\Docker and related directories

🧯 If You Can't Patch

Implement strict access controls to prevent non-administrator users from creating symbolic links in system directories
Monitor for suspicious file creation activities in Docker installation directories and system log locations

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version in Settings > About Docker Desktop. If version is below 4.6.0, system is vulnerable.

Check Version:

docker version --format '{{.Client.Version}}'

Verify Fix Applied:

Verify Docker Desktop version is 4.6.0 or higher in Settings > About Docker Desktop. Check that installer logs are written to secure locations.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to system directories
Symlink creation events in Docker installation paths
Failed installer log writes

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

EventID=4656 OR EventID=4663 with TargetObject containing 'Docker' AND AccessMask containing 'WRITE_DAC' OR 'WRITE_OWNER'

📊 Metadata

CVE ID: CVE-2022-26659

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-59

Published: March 25, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.docker.com/desktop/windows/release-notes/ Release Notes,Vendor Advisory
https://docs.docker.com/docker-for-windows/release-notes/ Release Notes,Vendor Advisory
https://github.com/hmnthabit/Advisories/blob/master/CVE-2022-26659.md Third Party Advisory
https://docs.docker.com/desktop/windows/release-notes/ Release Notes,Vendor Advisory
https://docs.docker.com/docker-for-windows/release-notes/ Release Notes,Vendor Advisory
https://github.com/hmnthabit/Advisories/blob/master/CVE-2022-26659.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26659, you might also want to check these: