Description
A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-25308
1. Vulnerability Assessment and Severity Evaluation
The vulnerability identified in Docker Desktop (EUVD-2025-25308) allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, typically at 192.168.65.7:2375. This vulnerability is critical because it enables the execution of privileged commands through the Docker Engine API, including controlling other containers, creating new ones, and managing images. The severity is further exacerbated by the potential to mount the host drive with the same privileges as the user running Docker Desktop, particularly in environments using Docker Desktop for Windows with the WSL backend.
Severity Evaluation:
- Base Score: 9.3 (CVSS 4.0)
- Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
The high base score indicates a severe vulnerability due to the potential for significant impact on confidentiality, integrity, and availability. The attack vector is local, but the complexity is low, and no privileges are required, making it highly exploitable.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Local Exploitation: An attacker with local access to a system running Docker Desktop can exploit this vulnerability by running a malicious container that accesses the Docker Engine API.
- Container Escape: Containers running with elevated privileges or misconfigured settings can escape their isolation and interact with the Docker Engine API, leading to further compromise.
Exploitation Methods:
- API Access: By accessing the Docker Engine API, an attacker can execute a wide range of privileged commands, such as creating new containers, managing images, and controlling other containers.
- Host Drive Mounting: In specific configurations (e.g., Docker Desktop for Windows with WSL backend), the attacker can mount the host drive, gaining access to sensitive files and data.
3. Affected Systems and Software Versions
Affected Systems:
- Systems running Docker Desktop versions 4.25 to 4.44.3.
- Both Linux and Windows environments are affected, particularly those using the WSL backend on Windows.
Software Versions:
- Docker Desktop versions 4.25 to 4.44.3.
4. Recommended Mitigation Strategies
Immediate Mitigations:
- Update Docker Desktop: Upgrade to Docker Desktop version 4.44.3 or later, which includes the patch for this vulnerability.
- Disable Unnecessary Features: Disable the "Expose daemon on tcp://localhost:2375 without TLS" option unless absolutely necessary.
- Enhanced Container Isolation (ECI): Ensure ECI is enabled to provide additional security layers.
Long-Term Mitigations:
- Regular Audits: Conduct regular security audits of Docker configurations and container deployments.
- Least Privilege Principle: Apply the principle of least privilege to containerized applications and Docker configurations.
- Network Segmentation: Implement network segmentation to isolate Docker containers and limit their access to critical systems.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations and individuals using Docker Desktop within the European Union. Given the widespread use of Docker for containerization, the potential for widespread exploitation is high. This vulnerability underscores the need for robust security practices and timely patch management to protect against such threats.
6. Technical Details for Security Professionals
Technical Overview:
- Docker Engine API Access: The vulnerability allows containers to access the Docker Engine API at 192.168.65.7:2375, enabling privileged command execution.
- Configuration Settings: The vulnerability is present regardless of the "Expose daemon on tcp://localhost:2375 without TLS" option and Enhanced Container Isolation (ECI) settings.
- Host Drive Mounting: In Docker Desktop for Windows with WSL backend, the vulnerability can lead to mounting the host drive with user privileges.
Detection and Response:
- Monitoring: Implement monitoring for unusual Docker Engine API activity and unauthorized container creation or management.
- Logging: Enable comprehensive logging for Docker Engine API interactions to detect and respond to suspicious activities.
- Incident Response: Develop and maintain an incident response plan specific to containerized environments to quickly address and mitigate potential exploitations.
Conclusion: The vulnerability in Docker Desktop (EUVD-2025-25308) is critical and requires immediate attention. Organizations should prioritize updating to the latest patched version of Docker Desktop and implement robust security measures to mitigate the risk of exploitation. Regular audits, least privilege principles, and network segmentation are essential for long-term security.