Vulnerabilities > CVE-2018-15514 - Deserialization of Untrusted Data vulnerability in Docker

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

docker

CWE-502

nessus

NVD

Published: 2018-09-01

Updated: 2018-11-09

Summary

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges.

Vulnerable Configurations

Part	Description	Count
Application	Docker Docker Docker 1.10.0.0-0 Docker Docker 1.10.1.42-1 Docker Docker 1.10.2.12 Docker Docker 1.10.2.14 Docker Docker 1.10.4.0 Docker Docker 1.10.6 Docker Docker 1.11.0 Docker Docker 1.11.1 Docker Docker 1.11.2 Docker Docker 1.12.0 Docker Docker 1.12.1 Docker Docker 1.12.2 Docker Docker 1.12.3 Docker Docker 1.12.5 Docker Docker 1.13.0 Docker Docker 1.13.1 Docker Docker 17.0.4 Docker Docker 17.0.5 Docker Docker 17.03.0 Docker Docker 17.03.1 Docker Docker 17.04.0 Docker Docker 17.06.0 Docker Docker 17.06.1 Docker Docker 17.06.2 Docker Docker 17.07.0 Docker Docker 17.09.0 Docker Docker 17.09.1 Docker Docker 17.10.0 Docker Docker 17.11.0 Docker Docker 17.12.0 Docker Docker 18.01.0 Docker Docker 18.02.0 Docker Docker 18.03.0 Docker Docker 18.03.1 Docker Docker 18.04.0 Docker Docker 18.05.0	104

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Nessus

NASL family	Windows
NASL id	DOCKER_FOR_WINDOWS_CVE-2018-15514.NASL
description	The version of Docker for Windows installed on the remote Windows host is stable channel < 18.06.0-ce-win70 or edge channel < 18.06.0-ce-rc3-win68. It is, therefore, affected by a remote privilege escalation vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	117358
published	2018-09-07
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117358
title	Docker for Windows stable < 18.06.0-ce-win70 / edge < 18.06.0-ce-rc3-win68 Remote Privilege Escalation Vulnerability
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(117358); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-15514"); script_bugtraq_id(105202); script_xref(name:"IAVA", value:"2018-A-0283"); script_name(english:"Docker for Windows stable < 18.06.0-ce-win70 / edge < 18.06.0-ce-rc3-win68 Remote Privilege Escalation Vulnerability"); script_summary(english:"Checks the Docker for Windows version."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application installed that is affected by a remote privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of Docker for Windows installed on the remote Windows host is stable channel < 18.06.0-ce-win70 or edge channel < 18.06.0-ce-rc3-win68. It is, therefore, affected by a remote privilege escalation vulnerability."); # https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6032ba75"); script_set_attribute(attribute:"see_also", value:"https://docs.docker.com/docker-for-windows/release-notes/"); script_set_attribute(attribute:"see_also", value:"https://docs.docker.com/docker-for-windows/edge-release-notes/"); script_set_attribute(attribute:"solution", value: "Upgrade to Docker for Windows stable 18.06.0-ce-win70 or edge 18.06.0-ce-rc3-win68 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15514"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:docker:docker"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("docker_for_windows_installed.nbin"); script_require_keys("installed_sw/Docker for Windows", "SMB/Registry/Enumerated"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); app_info = vcf::get_app_info(app:"Docker for Windows", win_local:TRUE); if (app_info.Channel == "stable") constraints = [{"min_version":"17.0", "fixed_version":"18.6.0.19075", "fixed_display":"18.06.0-ce-win70"}]; else if (app_info.Channel == "edge") constraints = [{"min_version":"17.0", "fixed_version":"18.6.0.18994", "fixed_display":"18.06.0-ce-rc3-win68"}]; else vcf::audit(); vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References