John Hammond Explores Recent Docker Desktop Vulnerability (CVE-20259074)

In this video, John Hammond explores a recent vulnerability in Docker Desktop for Windows, identified by CVE-20259074. This flaw allows a complete escape from Docker via a simple SSRF (Server Side Request Forgery) request from any container. John begins by paying tribute to Felix Boule, the researcher who discovered this vulnerability, and Felipe Duger of Pivotal Technologies, who assisted in the research.

The vulnerability affects versions of Docker Desktop for Windows and MacOS prior to version 4.44.3. John explains that in these unpatched versions, a container can connect to a specific IP address on a particular port without authentication, allowing the creation and starting of a privileged container. This privileged container can then mount the C drive of the Windows host system, thereby gaining full access to the host's file system. Although this does not immediately lead to code execution on the host, it allows reading and writing files, which can be used to achieve code execution later through persistence methods like scheduled tasks.

John demonstrates how to download a vulnerable version of Docker Desktop using VirusTotal, a platform that allows searching for and downloading specific files. He installs this version on his host system and shows how to exploit the vulnerability using HTTP POST commands to create and start a privileged container. He uses an Alpine Linux image and wget commands to send HTTP requests to the Docker API, demonstrating the exploitation.

The video highlights several important security lessons. John emphasizes that internal interfaces are not inherently secure and that every access and entry point must be evaluated, both internally and externally. He stresses the importance of testing and scanning to verify network isolation and the need not to trust default security models. He also encourages collaboration with friends and experts to discover these security flaws.

John concludes by discussing the practical implications of this vulnerability. Although it is unlikely that this flaw will be exploited in production environments, it underscores the importance of keeping software up to date. He also ponders the likelihood of this vulnerability being exploited in real-world scenarios, particularly through web applications exposed to SSRF vulnerabilities.

Finally, John reminds viewers of the importance of updating Docker Desktop to version 4.44.3 to protect against this vulnerability. He ends by inviting viewers to share their thoughts in the comments and to subscribe to his channel for more cybersecurity content.