SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-41110

CVE-2024-41110: Docker Engine AuthZ Bypass Vulnerability

CVE-2024-41110 is an authorization bypass vulnerability in Docker Engine that allows attackers to circumvent AuthZ plugins using crafted API requests. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-41110 Overview

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances.

Critical Impact

This vulnerability could lead to unauthorized actions, including privilege escalation, by bypassing AuthZ plugins.

Affected Products

  • Docker Engine (specific versions impacted)
  • Mirantis Container Runtime (not vulnerable)
  • Docker EE v19.03.x (not vulnerable)

Discovery Timeline

  • 2018 - Vulnerability discovered (researcher name not provided)
  • January 2019 - Vulnerability fixed in Docker Engine v18.09.1 (vendor name not provided)
  • 2024-07-24 - CVE CVE-2024-41110 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-41110

Vulnerability Analysis

The vulnerability arises from a regression in Docker Engine, where a specially-crafted API request could bypass authorization plugins by not forwarding the body of the request or response to these plugins. This loophole allows malicious actions to be authorized inadvertently.

Root Cause

The root cause is an oversight during the update process where fixes from v18.09.1 were not carried forward into later versions.

Attack Vector

The attack vector is network-based, exploiting the Docker Engine API to bypass authorization mechanisms.

javascript
// Example exploitation code (sanitized)
fetch('/path/to/api', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({}) // Potentially empty or malformed
})
.then(response => response.json())
.then(data => console.log(data));

Detection Methods for CVE-2024-41110

Indicators of Compromise

  • Unauthorized API requests
  • Unusual access logs
  • Suspicious request patterns

Detection Strategies

Implement monitoring for API endpoint access logs to detect anomalies and unauthorized bypass attempts. Look for patterns that match known bypass techniques.

Monitoring Recommendations

Regularly audit authorization plugin logs and cross-reference with Docker Engine logs to detect unauthorized access indicators.

How to Mitigate CVE-2024-41110

Immediate Actions Required

  • Update to docker-ce v27.1.1 or later
  • Restrict Docker API access to trusted parties
  • Disable or avoid using vulnerable AuthZ plugins

Patch Information

Patches are available in docker-ce v27.1.1 and later. Ensure the Docker Engine version in use includes updates from the fixed branches.

Workarounds

Restrict Docker API access by configuring network firewall rules or using VPNs to limit requests to trusted sources.

bash
# Configuration example
iptables -A INPUT -p tcp --dport 2375 -s TRUSTED_IP --jump ACCEPT
iptables -A INPUT -p tcp --dport 2375 --jump DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne