SRC-2018-0026 : Docker dockerBackend HandleRequestAsync Deserialization of Untrusted Data Elevation of Privilege Vulnerability
CVE ID:
CVE-2018-15514
CVSS Score:
6.9, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Vendors:
Docker
Affected Products:
Docker for Windows
Vulnerability Details:
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Docker for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within processing of requests set to the NamedPipe dockerBackend. When parsing the request buffer, the process does not properly validate user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
Vendor Response:
Docker has issued an update to correct these vulnerabilities. More details can be found at:
https://docs.docker.com/docker-for-windows/edge-release-notes/#docker-community-edition-18060-ce-win69-2018-07-25
Disclosure Timeline:
- 2018-04-03 - Vulnerability reported to iDefense
- 2018-04-04 - Verified and acquired by iDefense
- 2018-06-19 - Patched by Docker (without credit)
- 2018-07-18 - Docker assigned CVE-2018-15514
- 2018-08-30 - Coordinated public release of advisory
Proof of Concept:
Credit:
This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite
Acknowledgments:
Source Incite would like to acknowledge iDefense's Vulnerability Contributor Program for the help with co-ordination of this vulnerability.