Vulnerabilities > CVE-2018-15514 - Deserialization of Untrusted Data vulnerability in Docker

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

docker

CWE-502

nessus

NVD

Published: 2018-09-01

Updated: 2018-11-09

Summary

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges.

Vulnerable Configurations

Part	Description	Count
Application	Docker Docker Docker 18.03.0 Docker Docker 17.12.0 Docker Docker 17.09.1 Docker Docker 17.09.0 Docker Docker 17.06.2 Docker Docker 17.06.1 Docker Docker 17.06.0 Docker Docker 17.03.1 Docker Docker 17.03.0 Docker Docker 18.03.1 Docker Docker 18.05.0 Docker Docker 18.04.0 Docker Docker 18.02.0 Docker Docker 18.01.0 Docker Docker 17.11.0 Docker Docker 17.10.0 Docker Docker 17.07.0 Docker Docker 17.0.5 Docker Docker 17.0.4 Docker Docker 17.04.0 Docker Docker 1.13.1 Docker Docker 1.13.0 Docker Docker 1.12.5 Docker Docker 1.12.3 Docker Docker 1.12.1 Docker Docker 1.12.0 Docker Docker 1.12.2 Docker Docker 1.11.2 Docker Docker 1.11.1 Docker Docker 1.11.0 Docker Docker 1.10.6 Docker Docker 1.10.4.0 Docker Docker 1.10.2.14 Docker Docker 1.10.2.12 Docker Docker 1.10.1.42-1 Docker Docker 1.10.0.0-0	104

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Nessus

NASL family	Windows
NASL id	DOCKER_FOR_WINDOWS_CVE-2018-15514.NASL
description	The version of Docker for Windows installed on the remote Windows host is stable channel < 18.06.0-ce-win70 or edge channel < 18.06.0-ce-rc3-win68. It is, therefore, affected by a remote privilege escalation vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	117358
published	2018-09-07
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117358
title	Docker for Windows stable < 18.06.0-ce-win70 / edge < 18.06.0-ce-rc3-win68 Remote Privilege Escalation Vulnerability
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(117358); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-15514"); script_bugtraq_id(105202); script_xref(name:"IAVA", value:"2018-A-0283"); script_name(english:"Docker for Windows stable < 18.06.0-ce-win70 / edge < 18.06.0-ce-rc3-win68 Remote Privilege Escalation Vulnerability"); script_summary(english:"Checks the Docker for Windows version."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application installed that is affected by a remote privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of Docker for Windows installed on the remote Windows host is stable channel < 18.06.0-ce-win70 or edge channel < 18.06.0-ce-rc3-win68. It is, therefore, affected by a remote privilege escalation vulnerability."); # https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6032ba75"); script_set_attribute(attribute:"see_also", value:"https://docs.docker.com/docker-for-windows/release-notes/"); script_set_attribute(attribute:"see_also", value:"https://docs.docker.com/docker-for-windows/edge-release-notes/"); script_set_attribute(attribute:"solution", value: "Upgrade to Docker for Windows stable 18.06.0-ce-win70 or edge 18.06.0-ce-rc3-win68 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15514"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:docker:docker"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("docker_for_windows_installed.nbin"); script_require_keys("installed_sw/Docker for Windows", "SMB/Registry/Enumerated"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); app_info = vcf::get_app_info(app:"Docker for Windows", win_local:TRUE); if (app_info.Channel == "stable") constraints = [{"min_version":"17.0", "fixed_version":"18.6.0.19075", "fixed_display":"18.06.0-ce-win70"}]; else if (app_info.Channel == "edge") constraints = [{"min_version":"17.0", "fixed_version":"18.6.0.18994", "fixed_display":"18.06.0-ce-rc3-win68"}]; else vcf::audit(); vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References