CVE-2024-41110
📋 TL;DR
This vulnerability allows attackers to bypass Docker authorization plugins by sending specially-crafted API requests where the request/response body isn't forwarded to the plugin. This affects Docker Engine users who rely on AuthZ plugins that inspect request/response bodies for access control decisions.
💻 Affected Systems
- Docker Engine (Moby)
- docker-ce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized actions including privilege escalation, container escape, or resource manipulation if AuthZ plugins are bypassed.
Likely Case
Limited unauthorized API calls within Docker's capabilities, depending on what the AuthZ plugin was protecting.
If Mitigated
No impact if AuthZ plugins aren't used or Docker API access is properly restricted.
🎯 Exploit Status
Requires API access and knowledge of crafting requests that bypass body forwarding. Base likelihood of exploitation is low according to description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: docker-ce v27.1.1
Vendor Advisory: https://github.com/moby/moby/security/advisories
Restart Required: Yes
Instructions:
1. Stop Docker service: 'sudo systemctl stop docker' 2. Update Docker: 'sudo apt-get update && sudo apt-get install docker-ce=27.1.1' (adjust for your package manager) 3. Start Docker: 'sudo systemctl start docker'
🔧 Temporary Workarounds
Disable AuthZ plugins
allRemove or disable authorization plugins that inspect request/response bodies
Edit /etc/docker/daemon.json and remove authorization plugin configuration
Restart Docker: sudo systemctl restart docker
Restrict Docker API access
allLimit Docker daemon API access to trusted networks and users
Configure Docker daemon to bind to specific IP: 'dockerd -H tcp://192.168.1.100:2375'
Use TLS authentication for Docker API
🧯 If You Can't Patch
- Disable all authorization plugins that inspect request/response bodies
- Restrict Docker daemon API access to only trusted, authenticated users and networks
🔍 How to Verify
Check if Vulnerable:
Check if using Docker version between 18.09.2 and 27.1.0 AND using AuthZ plugins that inspect request/response bodiesCheck Version:
docker version --format '{{.Server.Version}}'Verify Fix Applied:
Verify Docker version is 27.1.1 or later, or check that AuthZ plugins are disabled📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to Docker daemon
- AuthZ plugin denials followed by successful similar requests
- Requests with missing or malformed bodies
Network Indicators:
- Unusual Docker API traffic patterns
- Requests to Docker API from unauthorized sources
SIEM Query:
source="docker" AND ("authorization" OR "authz") AND ("bypass" OR "missing body" OR "malformed request")🔗 References
- https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
- https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
- https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
- https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
- https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
- https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
- https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
- https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
- https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
- https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
- https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
- https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
- https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
- https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
- https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
- https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
- https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
- https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
- https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
- https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
- https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
- https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
- https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
- https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html
- https://security.netapp.com/advisory/ntap-20240802-0001/
- https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
