Docker Model Runner Unauthenticated Runtime Flag Injection Vulnerability Allowing Arbitrary File Overwrite

A vulnerability exists in Docker Model Runner (DMR) versions prior to 1.0.16, specifically within the POST '/engines/_configure' endpoint. This endpoint accepts arbitrary runtime flags without authentication, which are then passed directly to the underlying inference server, llama.cpp. By injecting the '--log-file' flag, an attacker with network access to the Model Runner API can write or overwrite files accessible to the Model Runner process. When used with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), the vulnerability can be exploited from any default container via 'model-runner.docker.internal' without authentication. In this scenario, the injected flag can overwrite the Docker Desktop VM disk file 'Docker.raw', causing the loss of all containers, images, volumes, and build history. Additionally, under certain configurations and with user interaction, this vulnerability could lead to a container escape.

Impact

Exploitation of this vulnerability allows for unauthorized file writes or overwrites in the Docker Model Runner process context. When Docker Desktop is involved, this can result in a complete loss of all Docker resources, including containers, images, volumes, and build history. Furthermore, in specific configurations, the vulnerability could be leveraged to escape the container environment and access the host system.

Remediation

Users of Docker Model Runner should update to version 1.0.16 or later. For Docker Desktop users, the application should be updated to version 4.61.0 or later, which includes the patched version of Model Runner. As an additional step, Docker Desktop users can enable Enhanced Container Isolation (ECI) to block container access to Model Runner, further preventing exploitation.