Docker Desktop < 4.27.1 Multiple Vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(190363);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/12");

  script_cve_id(
    "CVE-2024-21626",
    "CVE-2024-23650",
    "CVE-2024-23651",
    "CVE-2024-23652",
    "CVE-2024-23653",
    "CVE-2024-23657"
  );
  script_xref(name:"IAVA", value:"2024-A-0071");

  script_name(english:"Docker Desktop < 4.27.1 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Docker Desktop for Windows is prior to 4.27.1. It is therefore affected by multiple vulnerabilities.

  - runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In 
    runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned
    container process (from runc exec) to have a working directory in the host filesystem namespace, allowing
    for a container escape by giving access to the host filesystem (attack 2). The same attack could be used 
    by a malicious image to allow a container process to gain access to the host filesystem through runc run 
    (attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, 
    allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for this 
    issue. (CVE-2024-21626)

  - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and 
    repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to 
    BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using 
    BuildKit frontends from untrusted sources. (CVE-2024-23650)

  - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and 
    repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with 
    subpaths could cause a race condition that can lead to files from the host system being accessible to 
    the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit 
    frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with 
    --mount=type=cache,source=... options. (CVE-2024-23651)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/moby/buildkit/releases/tag/v0.12.5
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?992441ea");
  # https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?910afe4d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Docker Desktop version 4.27.1 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-23653");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'runc (docker) File Descriptor Leak Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:docker:docker");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("docker_for_windows_installed.nbin");
  script_require_keys("installed_sw/Docker for Windows", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');
var app_info = vcf::get_app_info(app:'Docker for Windows', win_local:TRUE);

var constraints = [{'fixed_version':'4.27.1'}];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);