By David Bisson
Docker released a patch for a vulnerability that could have allowed attackers to escalate their privileges on Windows systems.
How the Vulnerability Works
Discovered by Pen Test Partners, the vulnerability preyed upon the Docker Desktop Service. This service accompanies the installation of Docker Desktop for Windows. It then waits for the Docker Desktop app to start, an event which creates child processes for the purpose of managing Docker behaviors.
Docker enables these child processes to communicate with one another, an exchange known as inter process communication (IPC), via Windows named pipes. The pipes enable the transmission of application-specific data down the pipe. They also allow the server side of a connection to impersonate the client. This functionality allows a service to drop its credentials, thereby allowing the action to be performed under the impersonated account and not the service account responsible for starting the process.
This impersonation privilege doesn’t come standard on all user accounts. But it does exist by default on anything started by the Service Control Manager. Pen Test Partners explains why this is relevant to this latest Docker vulnerability:
The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process. Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.
According to Pen Test Partners, its researchers first notified the Docker security team about the vulnerability on March 25, 2020. Docker responded that same day and denied the existence of a vulnerability. Its team members explained said that impersonation was a Windows feature, so it recommended that the penetration testing and cyber security company reach out and speak directly with Microsoft instead.
Pen Test Partners subsequently engaged the Docker security team in an email discussion about the vulnerability. After receiving PoC code from the penetration testing company for the exploit as well as instructions on how to run it using an account with SeImpersonatePrivilege, Docker confirmed that it would treat the issue as a security issue.
Vulnerabilities: Just One of Several Docker Security Challenges
Vulnerabilities undoubtedly pose a challenge to Docker environments. But they’re not the only security issues confronting organizations. StackRoxnotes that the following security issues also warrant organizations’ attention:
- Limiting container communication– Containers might be isolated from one another. This could pose a problem from a security standpoint. In the absence of additional security measures, for instance, a malicious actor could abuse a compromised container to compromise additional containers connected to their environment.
- Ensuring secure container configurations–Containers might not be in a configuration state that supports an organization’s environment’s security. For instance, they might be running with heightened privileges that shouldn’t be theirs. Container images might also be launching unnecessary services that expand the attack surface, or they might contain secrets that threaten the organization’s sensitive information.
- Monitoring containers– Containers are dynamic by nature. This property makes it difficult to monitor container behavior, especially during runtime. That’s assuming that organizations have the necessary visibility over their containers. If not, they might not even be aware of all the containers that are connected to their environments. As such, they could be unaware of all the security risks confronting them.
These and other security risks highlight the need for organizations to implement Docker security best practices. They can use these stepsto begin hardening their Docker assets.
About the Author
- David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space