External risk intelligence

Docker Desktop Privilege Escalation.

CVE advisoryKnown Exploit

CVE-2019-15752

A vulnerability in Docker Desktop Community Edition allows local users to gain elevated privileges. This could lead to unauthorized system access and control, impacting business operations and data. Organizations should update to fixed versions to mitigate this risk.

1Halo Surface Signal

Docker

before 2.1.0.11.12.0

External exposure likelihood

Halo Surface Signal score for CVE-2019-15752

This vulnerability is limited to local-only exploitation on Windows systems, requiring a local user to place a malicious file in a specific directory to escalate privileges. It is not reachable via the public internet or remote network vectors.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Docker Desktop Community Edition is affected by a vulnerability that allows local users to gain elevated privileges. This occurs when a low-privilege user places a malicious `docker-credential-wincred.exe` file in a specific program data directory. When an administrator or service account later interacts with Docker, such as by restarting it or logging in, the malicious file is executed, leading to privilege escalation. The impact of this vulnerability can include unauthorized access and control over the affected system, potentially compromising sensitive data and disrupting business operations.

  • Vulnerable component: Docker Desktop Community Edition
  • Core weakness: Privilege escalation via malicious executable
  • Main business impact: Unauthorized system access and control

Attack Path

How an attacker could exploit the issue

This vulnerability allows a local, low-privilege user to escalate privileges on a Windows system. An attacker can place a malicious executable file disguised as a Docker credential helper in a specific program data directory. When an administrator or service user authenticates with Docker, restarts Docker, or runs a login command, the system may execute the malicious file with elevated privileges. This could lead to the compromise of the system or sensitive data.

  • Local user places malicious file.
  • Admin or service executes it.
  • Attacker gains elevated control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a localized risk to systems running specific versions of Docker Desktop Community Edition on Windows. An attacker with low-level access could potentially escalate privileges by introducing a malicious executable that is then run by an administrative user or service. The business impact could include unauthorized system control or data access if an attacker successfully exploits this vulnerability. Organizations should consider this a heightened risk due to its inclusion in the Known Exploited Vulnerabilities catalog.

  • Attackers need local access.
  • Malicious file placement required.
  • High privilege escalation risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows a local user to elevate their privileges on affected systems. Attackers can exploit this by placing a malicious executable in a specific directory, which is then executed by system users. This can lead to unauthorized access and control of the system, posing a significant risk to organizational data and operations.

  • Identify all systems running affected software.
  • Restrict access to the specified program directory.
  • Update to the fixed version and confirm resolution.

Frequently asked questions

What is Docker Desktop Community Edition and its vulnerability?

Docker Desktop Community Edition is an application for Windows and Mac that aids developers in building, sharing, and running containerized applications. A privilege escalation vulnerability exists in versions before 2.1.0.1, allowing local users to gain higher privileges.

How does CVE-2019-15752 facilitate privilege escalation?

CVE-2019-15752 is a privilege escalation weakness (CWE-732). It enables a local user to elevate their privileges by tricking the system into executing a malicious executable disguised as a Docker credential helper.

What is the attack path for CVE-2019-15752?

A local, low-privilege user can place a malicious `docker-credential-wincred.exe` file in the `%PROGRAMDATA%\DockerDesktop\version-bin\` directory. When an administrator or service user interacts with Docker (e.g., by restarting it or running `docker login`), the malicious file can be executed with elevated privileges.

What is the relevance of CVE-2019-15752 to Halo Surface Signal?

The Halo Surface Signal classifies this vulnerability as 'Very unlikely' due to its local-only exploitation requirement on Windows systems. It necessitates a local user to place a malicious file in a specific directory to escalate privileges, making it unreachable via public internet or remote network vectors.

How can organizations address the Docker Desktop privilege escalation vulnerability?

Organizations should identify all systems running affected Docker Desktop Community Edition versions and update to a fixed version. Restricting access to the specified program data directory can also help mitigate the risk of exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified