CVE-2022-36109
Privilege Escalation vulnerability in docker (Go)
What is CVE-2022-36109 About?
This vulnerability in Moby (Docker Engine) involves improper supplementary group setup, allowing attackers with direct container access to bypass primary group restrictions. By manipulating supplementary group access, attackers may gain unauthorized access to sensitive information or execute code within the container. Exploitation requires specific conditions and is moderately difficult.
Affected Software
- github.com/docker/docker
- <20.10.18+incompatible
- <20.10.18
Technical Details
The vulnerability in Moby (Docker Engine) arises from a flaw in how supplementary groups are set up when a container is started, especially when using the USER $USERNAME Dockerfile instruction. The core issue is that supplementary groups for a user inside a container might not be correctly inherited or established according to the system's expectations. If an attacker has direct access to a container and can manipulate their supplementary group membership, they can leverage this misconfiguration. By assuming the identity or permissions associated with a supplementary group that was intended to be restricted, the attacker can bypass primary group access controls. This leads to unauthorized access to files, directories, or the ability to execute code that would normally be denied to their primary user context, effectively achieving a form of privilege escalation within the container.
What is the Impact of CVE-2022-36109?
Successful exploitation may allow attackers to bypass primary group restrictions, potentially gaining access to sensitive information or executing arbitrary code within the container.
What is the Exploitability of CVE-2022-36109?
Exploitation has a moderate complexity level, requiring an attacker to have direct access to a container and the ability to manipulate their supplementary group access. No prior authentication is needed if the attacker already has access to the container as a user. Privilege requirements are typically user-level within the container. This is a local vulnerability within the container environment, though an initial compromise of the container would precede it. A key prerequisite is the use of the USER $USERNAME Dockerfile instruction in the container image. The likelihood of exploitation increases in environments where container security is not meticulously configured, allowing for group manipulation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-36109?
Available Upgrade Options
- github.com/docker/docker
- <20.10.18 → Upgrade to 20.10.18
- github.com/docker/docker
- <20.10.18+incompatible → Upgrade to 20.10.18+incompatible
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ
- https://github.com/moby/moby/releases/tag/v20.10.18
- https://github.com/moby/moby
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/
- https://osv.dev/vulnerability/GO-2022-0985
- https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
- https://github.com/moby/moby/releases/tag/v20.10.18
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
- https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
What are Similar Vulnerabilities to CVE-2022-36109?
Similar Vulnerabilities: CVE-2021-41094 , CVE-2021-30465 , CVE-2022-24754 , CVE-2023-28840 , CVE-2023-28841
