CVE-2022-34292
📋 TL;DR
This vulnerability in Docker Desktop for Windows allows attackers to overwrite arbitrary files through a symlink attack on the hyperv/create dockerBackendV2 API endpoint. Attackers can control the DataFolder parameter to manipulate DockerDesktop.vhdx files, potentially leading to privilege escalation or system compromise. Only Windows users running vulnerable Docker Desktop versions are affected.
💻 Affected Systems
- Docker Desktop for Windows
📦 What is this software?
Desktop by Docker
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary file overwrite leading to privilege escalation, persistence mechanisms, or complete control of the host system.
Likely Case
Local privilege escalation allowing attackers to gain elevated permissions on the Windows host system where Docker Desktop is installed.
If Mitigated
Limited impact with proper access controls, network segmentation, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access to the Windows system and knowledge of the API endpoint. The CyberArk research provides technical details about the attack methodology.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0 and later
Vendor Advisory: https://docs.docker.com/desktop/release-notes/#docker-desktop-460
Restart Required: Yes
Instructions:
1. Open Docker Desktop application. 2. Click on the Settings/Preferences menu. 3. Navigate to Software Updates. 4. Check for updates and install version 4.6.0 or later. 5. Restart Docker Desktop and the host system if prompted.
🔧 Temporary Workarounds
Disable Hyper-V backend
windowsSwitch Docker Desktop to use WSL 2 backend instead of Hyper-V to avoid the vulnerable API endpoint
docker-desktop.exe --switch-backend wsl2
Restrict API access
windowsConfigure Windows Firewall to block access to Docker Desktop API endpoints from unauthorized users
🧯 If You Can't Patch
- Implement strict access controls to limit who can run Docker Desktop on Windows systems
- Monitor for suspicious file operations involving DockerDesktop.vhdx or symlink creation in Docker-related directories
🔍 How to Verify
Check if Vulnerable:
Check Docker Desktop version in Settings > About Docker Desktop or run: docker version --format '{{.Client.Version}}'Check Version:
docker version --format '{{.Client.Version}}'Verify Fix Applied:
Confirm Docker Desktop version is 4.6.0 or higher and verify the hyperv/create API endpoint has proper symlink validation📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to hyperv/create endpoint
- Suspicious file operations on DockerDesktop.vhdx
- Symlink creation in Docker data directories
Network Indicators:
- Local API calls to Docker Desktop endpoints from unexpected processes
SIEM Query:
Process creation where command_line contains 'dockerBackendV2' AND target_file contains 'DockerDesktop.vhdx'🔗 References
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
