Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2020-002: Docker Desktop Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

Docker Inc.

CVE ID:

CVE-2020-10665

Affected Products:

  • Docker Desktop Enterprise before 2.1.0.9
  • Docker Desktop for Windows Stable before 2.2.0.4
  • Docker Desktop for Windows Edge before 2.2.2.0

Summary:

Diagnostics feature in Docker Desktop allows arbitrary DACL permissions overwrite as well as arbitrary file write to non-privileged Docker Desktop users which leads to local privilege escalation as NT AUTHORITY\SYSTEM.

Mitigation:

The vendor has released a patch addressing this vulnerability. Please refer to the vendor website for more information.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 02-03-20: ACTIVELabs contacted Docker via security@docker.com requesting PGP key
  • 02-05-20: Docker security team provided PGP key
  • 02-05-20: ACTIVELabs submitted vulnerability report and requested timeline for the patch
  • 02-12-20: ACTIVELabs requested an update
  • 02-12-20: Docker security team responded that they are investigating the issue still
  • 02-27-20: ACTIVELabs requested an update
  • 03-02-20: Docker Desktop for Windows Edge 2.2.2.0 was released
  • 03-06-20: ACTIVELabs informed Docker security team that fully reliable exploit is now available and requested an update
  • 03-06-20: Docker security team responded that patch was released in Desktop Edge releases and they are in the process of pushing it to stable releases
  • 03-13-20: Docker Desktop Enterprise 2.1.0.9 and Docker Desktop for Windows Stable 2.2.0.4 was released
  • 03-15-20: ACTIVELabs asked Docker security team whether an advisory can be made public at this point
  • 03-18-20: Docker security team responded that we can proceed with publication
  • 03-18-20: ACTIVELabs publishes this advisory
  • 03-18-20: ACTIVELabs request CVE from MITRE
  • 03-18-20: CVE-2020-10665 assigned