CVE-2018-15664 — Docker Elevation of Privilege Vulnerability
Executive Summary
Summary CVE-2018-15664 describes a vulnerability in the Docker runtime (and the underlying community project, Moby) wherein a malicious/compromised container can acquire full read/write access to the host operating system where that container is running. The vulnerability depends on the way that the Docker runtime handles symbolic links and is most directly exploitable through the Docker copy API (‘docker cp’ in the Docker CLI). What is the risk for Azure Kubernetes Service (AKS) and Azure IoT Edge customers? The risk for AKS and Azure IoT Edge customers is minimal as the following need to be true: A container on the host must be compromised. The attacker must have access to the host machine, as the docker API is not exposed by default from outside of the host.
Overview
EPSS Score
Affected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Azure IoT Edge | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Azure Kubernetes Service | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
Patches
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Known Exploits
Acknowledgments
Microsoft has not published researcher acknowledgments for this CVE, or they are not yet reflected in our data source. Check the MSRC advisory directly for the most current credit information.