No one checked oversized requests: While the previous authorization bypass was triggered when request Content-Length was set to 0, no one checked at the time what would happen in the same function if the request exceeded a certain size.”When an API request body exceeds 1MB, Docker’s middleware silently drops the body before your authorization plugin sees it,” the Cyera researchers found. “The plugin, seeing nothing to inspect, approves the request. The Docker daemon then processes the full body and creates the requested container, potentially granting full host filesystem access.”This is essentially the same bug class with the same root cause, but using 1MB request padding instead of zero length. Because the AuthZ plug-in doesn’t get to inspect and block the request, this means attackers would have access to all Docker Engine commands, including the ability to create privileged containers with root access.Usually the most serious Docker vulnerabilities are those that allow attackers to escape from inside containers, but this flaw happens before the container is even created so any in-container monitoring tools would not catch the exploit attempt. Administrators can, however, route API requests through a reverse proxy that blocks all requests over 512KB for example, as a temporary mitigation.Exposed Docker API interfaces are constantly targeted by botnets and attackers to hijack cloud instances and servers especially since Docker is used in over 90% of enterprise environments worldwide.The Cyera researchers recommend searching daemon logs for signs of potential exploitation by using journalctl -u docker | grep "Request body is larger than". They also advise reviewing which automated systems have Docker API access and prioritizing hosts with access to production credentials or regulated data for immediate patching.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4157405/old-docker-authorization-bypass-pops-up-despite-previous-patch.html
