CVE-2023-0625 – This vulnerability in Docker Desktop allows rem... (How to Fix)

Q: What is the severity of CVE-2023-0625?

CVE-2023-0625 has a CVSS score of 8.0 (HIGH). This vulnerability in Docker Desktop allows remote code execution (RCE) when a malicious extension description or changelog is processed. Attackers can exploit this to run arbitrary code on the host system. It affects all Docker Desktop users running versions before 4.12.0.

📋 TL;DR

This vulnerability in Docker Desktop allows remote code execution (RCE) when a malicious extension description or changelog is processed. Attackers can exploit this to run arbitrary code on the host system. It affects all Docker Desktop users running versions before 4.12.0.

💻 Affected Systems

Products:

Docker Desktop

Versions: Before 4.12.0

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable; no special configuration is required for exploitation.

📦 What is this software?

Docker Desktop by Docker

View all CVEs affecting Docker Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, enabling data theft, ransomware deployment, or lateral movement across networks.

🟠

Likely Case

Local privilege escalation or execution of malicious payloads via crafted extensions, potentially leading to data exfiltration or persistence mechanisms.

🟢

If Mitigated

Limited impact if extensions are restricted to trusted sources and network segmentation is enforced, though risk remains if vulnerable software is present.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction, such as installing a malicious extension, but no authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.12.0

Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4120

Restart Required: Yes

Instructions:

1. Open Docker Desktop. 2. Go to Settings > Software Updates. 3. Check for updates and install version 4.12.0 or later. 4. Restart Docker Desktop after installation.

🔧 Temporary Workarounds

Disable Extension Installation

all

Prevent installation of new extensions to block potential malicious payloads.

docker extension disable <extension-name>
docker extension rm <extension-name>

Restrict Extension Sources

all

Only allow extensions from trusted, verified repositories.

Configure Docker Desktop settings to whitelist specific extension sources.

🧯 If You Can't Patch

Isolate Docker Desktop instances on segmented networks to limit lateral movement.
Implement strict access controls and monitor for unusual extension activity or process execution.

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version; if it is below 4.12.0, the system is vulnerable.

Check Version:

docker version --format '{{.Client.Version}}'

Verify Fix Applied:

Confirm Docker Desktop version is 4.12.0 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual extension installation logs
Suspicious process execution from Docker Desktop

Network Indicators:

Unexpected outbound connections from Docker Desktop to external IPs

SIEM Query:

source="docker-desktop" AND (event="extension_install" OR event="process_start")

📊 Metadata

CVE ID: CVE-2023-0625

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: September 25, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.docker.com/desktop/release-notes/#4120 Release Notes,Vendor Advisory
https://docs.docker.com/desktop/release-notes/#4120 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0625, you might also want to check these: