CVE-2023-34844
📋 TL;DR
CVE-2023-34844 is a critical container escape vulnerability in Play With Docker versions before 0.0.2 that allows attackers to break out of Docker containers and gain root access to the host system. This affects anyone running vulnerable Play With Docker instances, particularly in development or testing environments. The vulnerability stems from insecure CAP_SYS_ADMIN privileged mode configuration.
💻 Affected Systems
- Play With Docker
📦 What is this software?
Play With Docker by Play With Docker Project
⚠️ Risk & Real-World Impact
Worst Case
Complete host system compromise with root privileges, allowing attackers to access all containers, steal sensitive data, install persistent backdoors, and pivot to other systems on the network.
Likely Case
Container escape leading to host file system access, credential theft from other containers, and potential lateral movement within the environment.
If Mitigated
Limited impact if containers run with minimal privileges, proper network segmentation, and host hardening measures are in place.
🎯 Exploit Status
Exploitation requires access to the Play With Docker interface but doesn't require authentication to the underlying container. The CAP_SYS_ADMIN capability provides extensive system privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.2
Vendor Advisory: https://github.com/play-with-docker/play-with-docker/releases/tag/v0.0.2
Restart Required: Yes
Instructions:
1. Stop all Play With Docker instances. 2. Update to version 0.0.2 or later. 3. Restart the service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable CAP_SYS_ADMIN
linuxRemove the CAP_SYS_ADMIN capability from Docker containers to prevent privilege escalation
docker run --cap-drop=CAP_SYS_ADMIN [your_image]
Use User Namespace Remapping
linuxEnable user namespace remapping to isolate container users from host users
Edit /etc/docker/daemon.json and add: {"userns-remap": "default"}
systemctl restart docker
🧯 If You Can't Patch
- Isolate Play With Docker instances on separate network segments with strict firewall rules
- Implement strict access controls and monitor all container activity for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check Play With Docker version: docker exec [container_name] cat /app/version.txt or inspect the web interfaceCheck Version:
docker exec [play-with-docker-container] cat /app/version.txtVerify Fix Applied:
Confirm version is 0.0.2 or higher and test container escape attempts fail📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in container logs
- CAP_SYS_ADMIN capability usage in Docker daemon logs
- Unexpected process execution on host from container context
Network Indicators:
- Unexpected network connections from containers to sensitive host services
- Container attempting to scan internal network
SIEM Query:
source="docker" AND ("CAP_SYS_ADMIN" OR "privilege escalation" OR "container escape")