One of those just came through Docker today, which found a critical CVE in its platform that has serious implications for users running Windows containers. Without authentication this vulnerability allows any container to connect to the underlying Docker Engine API without any requirement for authentication. Security researcher Felix Boulet discovered this vulnerability. Due to its high exploitability potential it has been assigned a CVSS score of 9.3.
The Docker Engine API, accessible at the IP address 192.168.65.7 and port 2375, facilitates the creation and management of containers. This CVE allows privileged containers to have complete access to the underlying host. Such access can lead to significant security violations.
Details of the Vulnerability
The exploit targets a pretty serious flaw in Docker’s internal HTTP API. This API is publicly accessible from any container, and it has no basic authentication or access control measures. Specifically, an attacker could mount the C:\ drive into a container and send a specially crafted POST request with a JSON payload to “/containers/create”. This payload binds the host’s C:\ drive to a directory within the container located at /mnt/host/c:/host_root.
“At its core, this vulnerability was a simple oversight, Docker’s internal HTTP API was reachable from any container without authentication or access controls,” – Felix Boulet.
Once the exploit is run, the exploit allows the attacker to write files to or read files from /host_root when the container starts. Without this, a malicious WebAssembly module (or even a benign one) could leak access to user files on the host system. According to Docker, “Enhanced Container Isolation (ECI) does not mitigate this vulnerability.”
Exploitation and Impact
Yet this vulnerability has ominous consequences. This allows attackers to take complete control over the Docker application and containers. Philippe Dugre, aka “zer0x64”—who went on to win the “Best Hacker” prize—uncovered a heart-stopping vulnerability. A malicious container executing on Docker Desktop can still reach the Docker Engine and start other malicious containers without mounting the Docker socket.
“However, the attacker does still have full control of the Docker application/containers and can even backdoor it by mounting and modifying the application’s configuration, which does not need any user approval,” – Philippe Dugre.
This vulnerability creates huge security implications. This is especially problematic for Windows users, as Docker doesn’t run with admin rights by default. Running Docker on Linux is not subject to this issue. Most importantly, it uses a named pipe on the host’s file system, rather than using a TCP socket with the Docker Engine’s API.
Recommendations for Users
Considering the implications of this finding, Docker recently called on all users to adopt container security best practices to protect their environments. Users on Windows-based systems need to be vigilant. In fact, they need to be constantly policing their configurations to protect against the threat of misconfiguration.
“This could allow unauthorized access to user files on the host system,” – Docker.
Docker’s team is currently working on getting a patch out to address this vulnerability. Users are urged to keep an eye on official communications from Docker as more information becomes available and learn how to secure their installations.
