CVE-2024-41110 - Vulnerability Patching Notice - Docker AuthZ Bypass

Vulnerability Title

AuthZ Plugin Bypass Regression in Docker Engine

Vulnerability Title

AuthZ Plugin Bypass Regression in Docker Engine

CVE Number

CVE-2024-41110

CVSS Score (Highest)

10.0 CRITICAL (From GitHub)

UKRI/STFC Criticality Rating

CRITICAL

Vulnerability Notification Date

10/09/2024

Action Completion Date

24/09/2024

Affected Components

Software components: docker-ce (moby)

Affected Versions:
<= v19.03.15
<= v20.10.27
<= v23.0.14
<= v24.0.9
<= v25.0.5
<= v26.0.2
<= v26.1.4
<= v27.0.3
<= v27.1.0

Impacted Operating Systems

All Operating Systems running the above software packages are affected.

Brief Summary

“Docker’s default authorization model is all-or-nothing. Users with access to the Docker daemon can execute any Docker command. For greater access control, authorization plugins (AuthZ) can be used. These plugins approve or deny requests to the Docker daemon based on authentication and command context.

In 2018, a security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later versions, resulting in a regression.” - Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine | Docker

Links to detailed information

Information from the NVD at NIST (US) and Links to patch commits:
https://nvd.nist.gov/vuln/detail/CVE-2024-41110

GitHub Security Advisory:
Authz zero length regression

Docker Community Notice:
Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine | Docker

CWE - Common Weakness Enumeration (Category)

CWE - CWE-863: Incorrect Authorization (4.15)
CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (4.15)
CWE - CWE-187: Partial String Comparison (4.15)

Patched Component Versions

Software Component: docker-ce

Patched Versions:
> v23.0.14
> v26.1.4
> v27.1.0

How do I check if my machine is affected?

Ubuntu 20.04 Focal

Run the following command to check the installed version of docker-ce:
sudo apt info docker-ce | grep Version

If the returned version substring does not match one of the patched versions above, you are affected.

Ubuntu 22.04 Jammy

Run the following command to check the installed version of docker-ce:
sudo apt info docker-ce | grep Version

If the returned version substring does not match one of the patched versions above, you are affected.

Rocky 8

Run the following command to check the installed version of docker-ce:
dnf info docker-ce | grep Version

If the returned version substring does not match one of the patched versions above, you are affected.

Rocky 9

Run the following command to check the installed version of docker-ce:
dnf info docker-ce | grep Version

If the returned version substring does not match one of the patched versions above, you are affected.

How do I fix my affected machines?

Ubuntu 20.04 Focal

Run the following commands to update all system packages, and reboot the machine to apply the change:

sudo apt udpate && sudo apt upgrade -Y
sudo reboot

Ubuntu 22.04 Jammy

Run the following commands to update all system packages, and reboot the machine to apply the change:

sudo apt udpate && sudo apt upgrade -Y
sudo reboot

Rocky 8

Run the following commands to update all system packages, and reboot the machine to apply the change:

sudo dnf update && sudo reboot

Rocky 9

Run the following commands to update all system packages, and reboot the machine to apply the change:

sudo dnf update && sudo reboot

Do I need to do anything else?

N/A

Contact Information

If you have any questions, concerns, or need assistance regarding this vulnerability notice please submit a ticket to cloud-support@stfc.ac.uk, including the name of the vulnerability in the subject line and we’ll get back to you as soon as possible.