ACTIVE-2020-002: Docker Desktop Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
Docker Inc.
CVE ID:
CVE-2020-10665
Affected Products:
- Docker Desktop Enterprise before 2.1.0.9
- Docker Desktop for Windows Stable before 2.2.0.4
- Docker Desktop for Windows Edge before 2.2.2.0
Summary:
Diagnostics feature in Docker Desktop allows arbitrary DACL permissions overwrite as well as arbitrary file write to non-privileged Docker Desktop users which leads to local privilege escalation as NT AUTHORITY\SYSTEM.
Mitigation:
The vendor has released a patch addressing this vulnerability. Please refer to the vendor website for more information.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://docs.docker.com/release-notes/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10665
- https://nvd.nist.gov/vuln/detail/CVE-2020-10665
Disclosure Timeline:
- 02-03-20: ACTIVELabs contacted Docker via security@docker.com requesting PGP key
- 02-05-20: Docker security team provided PGP key
- 02-05-20: ACTIVELabs submitted vulnerability report and requested timeline for the patch
- 02-12-20: ACTIVELabs requested an update
- 02-12-20: Docker security team responded that they are investigating the issue still
- 02-27-20: ACTIVELabs requested an update
- 03-02-20: Docker Desktop for Windows Edge 2.2.2.0 was released
- 03-06-20: ACTIVELabs informed Docker security team that fully reliable exploit is now available and requested an update
- 03-06-20: Docker security team responded that patch was released in Desktop Edge releases and they are in the process of pushing it to stable releases
- 03-13-20: Docker Desktop Enterprise 2.1.0.9 and Docker Desktop for Windows Stable 2.2.0.4 was released
- 03-15-20: ACTIVELabs asked Docker security team whether an advisory can be made public at this point
- 03-18-20: Docker security team responded that we can proceed with publication
- 03-18-20: ACTIVELabs publishes this advisory
- 03-18-20: ACTIVELabs request CVE from MITRE
- 03-18-20: CVE-2020-10665 assigned