Docker Engine < 23.0.15 / 26.x < 26.1.5 / 27.x < 27.1.1 Authentication Bypass

2024-07-2600:00:00

www.tenable.com

docker engine

authentication bypass

vulnerability

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.7

Confidence

High

JSON

The version of the Docker Engine (Moby) installed on the remote host is prior to 23.0.15, 26.x prior to 26.1.5 or 27.x prior to 27.1.1. It is therefore affected by an authentication bypass vulnerability. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(204784);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/29");

  script_cve_id("CVE-2024-41110");
  script_xref(name:"IAVA", value:"2024-A-0438");

  script_name(english:"Docker Engine < 23.0.15 / 26.x < 26.1.5 / 27.x < 27.1.1 Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is affected by an authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the Docker Engine (Moby) installed on the remote host is prior to 23.0.15, 26.x prior to 26.1.5 or 27.x
prior to 27.1.1. It is therefore affected by an authentication bypass vulnerability. Using a specially-crafted API
request, an Engine API client could make the daemon forward the request or response to an authorization plugin without 
the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if
the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins
using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although
this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions,
resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body
to make access control decisions is potentially impacted.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq");
  # https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d718ad8d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Docker Engine version 23.0.15, 26.1.5, 27.1.1 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-41110");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:docker:docker");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("docker_for_linux_installed.nbin");
  script_require_keys("installed_sw/Docker");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Docker');

var fixed_display = 'Upgrade to 23.0.15, 26.1.5, 27.1.1 or later.';

var constraints = [
  {'min_version': '19.03.15', 'fixed_version': '23.0.15', 'fixed_display': fixed_display},
  {'min_version': '20.10.27', 'fixed_version': '23.0.15', 'fixed_display': fixed_display},
  {'min_version': '23.0.14', 'fixed_version': '23.0.15', 'fixed_display': fixed_display},
  {'min_version': '24.0.9', 'fixed_version': '26.1.5', 'fixed_display': fixed_display},
  {'min_version': '25.0.5', 'fixed_version': '26.1.5', 'fixed_display': fixed_display},
  {'min_version': '26.0.2', 'fixed_version': '26.1.5', 'fixed_display': fixed_display},
  {'min_version': '26.1.4', 'fixed_version': '26.1.5', 'fixed_display': fixed_display},
  {'min_version': '27.0.3', 'fixed_version': '27.1.1', 'fixed_display': fixed_display},
  {'min_version': '27.1.0', 'fixed_version': '27.1.1', 'fixed_display': fixed_display}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);