Privilege escalation vulnerability patched in Docker Desktop for Windows

May 22, 2020 TH Author

[embedded content]

A severe privilege escalation vulnerability has been patched in the Windows Docker Desktop Service.

On Friday, cybersecurity researchers from Pen Test Partners publicly disclosed the problem, a privilege escalation vulnerability buried in how the software uses pipes.

The vulnerability, tracked as CVE-2020-11492, was discovered after analyzing how Docker Desktop for Windows — the primary service platform for Docker — uses named pipes when communicating as a client to child processes.

According to the team, the software “can be tricked into connecting to a named pipe that has been set up by a malicious lower privilege process.”

“Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges,” the researchers added.

The download and installation of Docker Desktop for Windows includes a Windows service called Docker Desktop Service that is always running by default in preparation for the software to launch.

Once opened, the Docker software will create a number of child processes to manage functions including image creation. Windows named pipes are used to facilitate inter-process communication (IPC) including the transfer of application-specific data.

Named pipes are able to impersonate the running client account which “allows the service to drop its credentials in favor of the connecting client,” Pen Test Partner notes, and while this is a legitimate feature, in some cases, it can also be abused.

This specific right, called “Impersonate a client after authentication,” is assigned to specific accounts by default including admin, IIS App Pool, and network service under the Service Control Manager.

“Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service,” the team says.

If an attacker is able to execute code under the context of a process with these privileges, they could set up a malicious pipe to compromise the Docker software, impersonate the system, and elevate their privileges to system-level.

However, this would require an initial attack vector to pull off, something the team has acknowledged.

“Let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows,” the researchers explained. “This could be one example of a successful attack vector. The initial attack vector could utilize a vulnerability in the web application to perform code execution under the limited IIS App Pool account.”

Pen Test Partners disclosed their research on March 25. Originally, Docker said impersonation is a Windows feature and as such, the report should be sent to Microsoft.

CNET: What is Tor? A beginner’s guide to using the private browser

However, after submitting Proof-of-Concept (PoC) code and arguing that while it is a feature, it is also the developer’s responsibility to “ensure that impersonation is disabled if such a feature is not needed,” the research teams’ findings were accepted as a security vulnerability on April 1.

A day later, fixes were pushed to the Edge release of Docker and a CVE number was assigned. On May 11, Docker released version 2.3.0.2 which includes a patch for the vulnerability, involving the use of the SecurityIdentification impersonation level when connecting to the named pipes of spawned child processes.

“This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation,” Pen Test Partners commented.

Docker Desktop Community and Enterprise are now protected against this vulnerability.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0