CVE-2024-6222 – This vulnerability allows an attacker who has a... (How to Fix)

Q: What is the severity of CVE-2024-6222?

CVE-2024-6222 has a CVSS score of 7.0 (HIGH). This vulnerability allows an attacker who has already broken out of a Docker container into the Docker Desktop VM to further escape to the host operating system by sending malicious IPC messages related to extensions and dashboard. It affects Docker Desktop users on macOS, Linux, and Windows with Hyper-V backend before version 4.29.0. The risk is higher when the 'Allow only extensions distributed through the Docker Marketplace' setting is disabled.

📋 TL;DR

This vulnerability allows an attacker who has already broken out of a Docker container into the Docker Desktop VM to further escape to the host operating system by sending malicious IPC messages related to extensions and dashboard. It affects Docker Desktop users on macOS, Linux, and Windows with Hyper-V backend before version 4.29.0. The risk is higher when the 'Allow only extensions distributed through the Docker Marketplace' setting is disabled.

💻 Affected Systems

Products:

Docker Desktop

Versions: All versions before 4.29.0

Operating Systems: macOS, Linux, Windows (with Hyper-V backend)

Default Config Vulnerable: ✅ No

Notes: Requires 'Allow only extensions distributed through the Docker Marketplace' setting to be disabled. Default configuration in versions before 4.31.0 was vulnerable if this setting was manually disabled.

📦 What is this software?

Desktop by Docker

View all CVEs affecting Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host compromise allowing attacker to execute arbitrary code, access sensitive data, and pivot to other systems on the network.

🟠

Likely Case

Limited host access for attackers who have already achieved container breakout, potentially leading to data theft or lateral movement.

🟢

If Mitigated

No impact if proper version and configuration controls are in place, as the vulnerability requires both vulnerable software and specific configuration.

🌐 Internet-Facing: LOW - Exploitation requires prior container breakout and specific configuration, making direct internet exploitation unlikely.

🏢 Internal Only: MEDIUM - Internal attackers with container access could exploit this if configuration allows, but requires multiple steps.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires: 1) Container breakout to Docker Desktop VM, 2) Disabled extension restriction setting, 3) Crafting malicious IPC messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.29.0 (fixes vulnerability), 4.31.0 (changes default configuration)

Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4290

Restart Required: Yes

Instructions:

1. Update Docker Desktop to version 4.29.0 or later. 2. Ensure 'Allow only extensions distributed through the Docker Marketplace' is enabled. 3. Restart Docker Desktop.

🔧 Temporary Workarounds

Enable Extension Restriction

all

Enable the setting to only allow extensions from Docker Marketplace

Open Docker Desktop Settings -> Extensions -> Check 'Allow only extensions distributed through the Docker Marketplace'

🧯 If You Can't Patch

Enable 'Allow only extensions distributed through the Docker Marketplace' setting in Docker Desktop
Implement strict container security policies to prevent initial container breakouts

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version (must be <4.29.0) AND verify 'Allow only extensions distributed through the Docker Marketplace' setting is disabled.

Check Version:

docker version --format '{{.Client.Version}}' (for Docker Desktop version)

Verify Fix Applied:

Confirm Docker Desktop version is 4.29.0 or higher AND 'Allow only extensions distributed through the Docker Marketplace' setting is enabled.

📡 Detection & Monitoring

Log Indicators:

Unusual IPC message patterns from containers to Docker Desktop VM
Extension installation attempts from non-Marketplace sources

Network Indicators:

Unexpected IPC communication between containers and Docker Desktop components

SIEM Query:

Search for Docker Desktop logs containing 'extension', 'dashboard', or 'IPC' with suspicious source containers

📊 Metadata

CVE ID: CVE-2024-6222

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-923

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.docker.com/desktop/release-notes/#4290 Release Notes
https://docs.docker.com/desktop/release-notes/#4290 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6222, you might also want to check these: