CVE-2023-5165
📋 TL;DR
CVE-2023-5165 allows unprivileged users to bypass Enhanced Container Isolation (ECI) restrictions in Docker Desktop by accessing a debug shell during a short time window after launch. This affects Docker Business customers running vulnerable versions where users lack local root/administrator privileges. The vulnerability enables privilege escalation within container environments.
💻 Affected Systems
- Docker Desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unprivileged user gains full container escape, executes arbitrary code on host system, and compromises the Docker host environment.
Likely Case
User bypasses container isolation policies, accesses restricted resources, and potentially escalates privileges within containerized workloads.
If Mitigated
Limited impact due to short exploitation window and requirement for local access; proper user privilege management reduces risk.
🎯 Exploit Status
Exploitation requires local access and timing to catch debug shell window; specific to Docker Business ECI configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.23.0
Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4230
Restart Required: Yes
Instructions:
1. Open Docker Desktop. 2. Navigate to Settings > Software Updates. 3. Check for updates and install version 4.23.0 or later. 4. Restart Docker Desktop after installation completes.
🔧 Temporary Workarounds
Disable Docker Desktop Auto-start
allPrevent automatic launch of Docker Desktop to reduce exposure window
# On macOS/Linux: disable Docker Desktop launch agent
launchctl unload ~/Library/LaunchAgents/com.docker.docker.plist
# On Windows: disable Docker Desktop startup via Task Manager or Services
Restrict User Privileges
allEnsure users don't have Docker Desktop launch permissions
# Example Linux: restrict Docker group membership
sudo usermod -aG docker trusted_users_only
# Remove unauthorized users from docker group
🧯 If You Can't Patch
- Implement strict access controls to limit who can launch Docker Desktop
- Monitor for unauthorized debug shell access attempts and container escape activities
🔍 How to Verify
Check if Vulnerable:
Check Docker Desktop version: if between 4.13.0 and 4.22.x inclusive, system is vulnerableCheck Version:
# Docker Desktop version check
docker version --format '{{.Client.Version}}'Verify Fix Applied:
Confirm Docker Desktop version is 4.23.0 or higher and Enhanced Container Isolation functions properly📡 Detection & Monitoring
Log Indicators:
- Unexpected debug shell access logs
- Container escape attempts
- Unauthorized privilege escalation within containers
Network Indicators:
- Unusual container-to-host network traffic patterns
SIEM Query:
source="docker" AND (event="debug_shell_access" OR event="container_escape_attempt")