CVE-2022-26659: Arbitrary File Write in Docker Desktop Installer 4.5.1
Information
- Vulnerability: Arbitrary File Write
- Vendor: Docker
- Affected products: Docker Desktop installer prior to version 4.6.0
- CVE ID: CVE-2022-26659
Summary
An arbitrary file write vulnerability exists in Docker Desktop Installer 4.5.1 that allows an unprivileged attacker to cause a denial of service via local system access.
The affected program tries to create/write install-log.txt in %LOCALAPPDATA%\Docker\ directory with high integrity. The attacker could create a symlink with install-log.txt name that points to any arbitrary path (CreatSymlink.exe %LOCALAPPDATA%\Docker\install-log.txt C://target_path/target_file.exe). After the Docker Desktop Installer runs, the file will be created in the target path. If the target file already exists, the installer will overwrite the target file with its log data.
Mitigation
The vulnerability was mitigated by using another directory with the proper Discretionary Access Control List (DACL) for writing the logs.
Timeline
- 2022-02-10: Discoverd the vulnerablity
- 2022-02-11: Sent the report to Docker Security Team
- 2022-02-16: Docker confirms the vulnerability
- 2022-03-07: CVE-2022-26659 assigned
- 2022-03-26: Public advisory published