10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
7.7 High
AI Score
Confidence
High
0.051 Low
EPSS
Percentile
93.0%
The version of Docker Desktop for Linux is prior to 4.27.1. It is therefore affected by multiple vulnerabilities.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (attack 2). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for this issue. (CVE-2024-21626)
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources. (CVE-2024-23650)
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with
–mount=type=cache,source=… options. (CVE-2024-23651)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(190365);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/26");
script_cve_id(
"CVE-2024-21626",
"CVE-2024-23650",
"CVE-2024-23651",
"CVE-2024-23652",
"CVE-2024-23653",
"CVE-2024-23657"
);
script_xref(name:"IAVA", value:"2024-A-0071");
script_name(english:"Docker Desktop < 4.27.1 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Docker Desktop for Linux is prior to 4.27.1. It is therefore affected by multiple vulnerabilities.
- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In
runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned
container process (from runc exec) to have a working directory in the host filesystem namespace, allowing
for a container escape by giving access to the host filesystem (attack 2). The same attack could be used
by a malicious image to allow a container process to gain access to the host filesystem through runc run
(attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries,
allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for this
issue. (CVE-2024-21626)
- BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and
repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to
BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using
BuildKit frontends from untrusted sources. (CVE-2024-23650)
- BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and
repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with
subpaths could cause a race condition that can lead to files from the host system being accessible to
the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit
frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with
--mount=type=cache,source=... options. (CVE-2024-23651)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://github.com/moby/buildkit/releases/tag/v0.12.5
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?992441ea");
# https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?910afe4d");
script_set_attribute(attribute:"solution", value:
"Upgrade to Docker Desktop version 4.27.1 or later");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-23653");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'runc (docker) File Descriptor Leak Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/31");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:docker:docker");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("docker_for_linux_installed.nbin");
script_require_keys("installed_sw/Docker Desktop");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'Docker Desktop');
var constraints = [{'fixed_version':'4.27.1'}];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21626
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23651
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23652
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23653
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23657
www.nessus.org/u?910afe4d
www.nessus.org/u?992441ea
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
7.7 High
AI Score
Confidence
High
0.051 Low
EPSS
Percentile
93.0%