Docker Desktop for Windows Privilege Escalation Vulnerability

A vulnerability exists in the update process of Docker Desktop for Windows, affecting versions prior to 4.41.0. This vulnerability could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During updates, Docker Desktop attempts to delete files in the C:\ProgramData\Docker\config directory with elevated privileges. However, this directory typically does not exist by default, and normal users can create new directories in C:\ProgramData\. By establishing a malicious folder structure in the right location, an attacker can manipulate the update process to delete or alter arbitrary system files, resulting in unauthorized privilege escalation.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a low-privileged user to gain SYSTEM rights.

Reproduction

The vulnerability can be reproduced by creating a malicious folder structure under 'C:\ProgramData\' that mimics the expected 'Docker\config' directory. Once this structure is in place, the Docker Desktop update process can be triggered, which will inadvertently delete or modify system files based on the attacker's manipulation.

Remediation

Users are advised to update Docker Desktop for Windows to version 4.41.0 or later.