Critical Bug in Docker Engine Allowed Attackers to Bypass Authorization Plugins (opens in new tab)

(securityaffairs.com)

64 pointsjebby1y ago15 comments

15 comments

Hmmm... It's as though running root privelege daemons with open sockets could go wrong. Who could have known.

https://developers.redhat.com/blog/2020/09/25/rootless-conta...

Hmm it’s as though Linux is living in dark ages and having a root be a special user could result in something going wrong. Perhaps Lennart will come will return to Red Hat after his stint at Microsoft and introduce SecureTokens

compsciphd1y ago

Are there really good use cases for dockerd being exposed to the network?

I would assume (many/most) users who run docker directly run it without api access on the network (i.e. on a single host).

Even those that do want network deployments of docker, probably run it through something like k8s where again kubernetes is handling the networking side, and each dockerd doesn't need to expose a network accessible api).

just wondering the use case for this.

radus1y ago

Example: you want to set your local docker context to the production environment, so that when you type `docker system prune --volumes` you delete your production data.

rudasn1y ago

Right? I always wondered who would use that feature and for what, now it all makes sense!

awithrow1y ago

Honestly this sounds like a massive outage waiting to happen

1 more reply

chatmasta1y ago

The issues arise when “the network” means something different at deployment time. You might plan or expect “the network” to be shared only by local services. But then you add some management GUI that needs access to it. And then you add a sidecar to that. And before you know it, you’ve got a bunch of containers, all with their own attack surface, and all with access to the dockerd socket.

claytonjy1y ago

My first thought was CI providers, where we often have to specify a "service" to allow `docker build`.

I don't know much about the internals there; would this bug allow me to do bad stuff on shared CI runners?

hibbelig1y ago

Docker desktop for Mac: dockerd runs in the VM and the client from the host system wants to connect. But of course we all hope that the network it is exposed to is still only on the Mac.

m4631y ago

related, note that docker will money with the firewall and let itself through unexpectedly:

https://vpetersson.com/2014/11/03/the-dangers-of-ufw-docker....

jroseattle1y ago

> The vulnerability was addressed with the release of Docker Engine v18.09.1, but it was not included in subsequent major versions, causing a regression.

Without further information, this sounds like code introduced in a hotfix that wasn't merged back to feature branches.

Surely it's not that simple?

mass_and_energy1y ago

How does this affect CaaS-based deployments like AKS, EKS, GKE and the like?

stackskipton1y ago

They are not using Docker for container runtime. It was deprecated in Kubernetes 1.20 and removed in 1.24 with almost everyone switching to containerd. Currently supported Kubernetes versions are 1.28/1.29/1.30. 1.27 is available as LTS from a few providers.

EDIT: Coworker mentioned there is a cri that lets you to continue to use Docker Engine in Kubernetes but I've never run across it.

Arnavion1y ago

I doubt any of those use dockerd. They likely all use containerd directly.

j / k navigate · click thread line to collapse