CVE-2023-0629
📋 TL;DR
This vulnerability allows unprivileged users on Docker Desktop to bypass Enhanced Container Isolation (ECI) restrictions by connecting to Docker's raw socket or named pipe. This affects Docker Business customers running Docker Desktop versions 4.13.0 through 4.16.0, enabling them to launch containers without ECI's additional security hardening.
💻 Affected Systems
- Docker Desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An unprivileged user could launch containers without Enhanced Container Isolation protections, potentially escaping container boundaries and compromising the host system.
Likely Case
Users with local access but without administrative privileges could bypass container security controls, reducing the effectiveness of Docker's security features for Business customers.
If Mitigated
With proper access controls and monitoring, the impact is limited to potential container security bypass without host compromise.
🎯 Exploit Status
Exploitation requires local user access and knowledge of Docker CLI commands. No authentication bypass needed beyond local user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.0
Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4170
Restart Required: Yes
Instructions:
1. Open Docker Desktop. 2. Navigate to Settings > Software Updates. 3. Check for updates and install version 4.17.0 or later. 4. Restart Docker Desktop after installation.
🔧 Temporary Workarounds
Restrict Docker socket access
linuxLimit access to Docker's raw socket and named pipe to prevent unauthorized connections
chmod 660 /var/run/docker.sock
chown root:docker /var/run/docker.sock
Monitor Docker host connections
linuxMonitor for unauthorized connections to Docker's raw socket or named pipe
auditctl -w /var/run/docker.sock -p rwxa -k docker_socket
🧯 If You Can't Patch
- Implement strict access controls to limit who can run Docker commands on affected systems
- Monitor for unusual Docker CLI usage patterns, particularly connections to docker.raw.sock or named pipes
🔍 How to Verify
Check if Vulnerable:
Check Docker Desktop version: if version is between 4.13.0 and 4.16.0 inclusive, and Enhanced Container Isolation is enabled, the system is vulnerable.Check Version:
docker version --format '{{.Client.Version}}'Verify Fix Applied:
Verify Docker Desktop version is 4.17.0 or later using the version check command.📡 Detection & Monitoring
Log Indicators:
- Docker CLI connections to docker.raw.sock or named pipes
- Containers launched with -H flag pointing to raw socket
Network Indicators:
- Local connections to Docker socket or named pipe from non-privileged users
SIEM Query:
process_name="docker" AND command_line="*docker.raw.sock*" OR command_line="*npipe:////.pipe/docker_engine_linux*"