Microsoft has issued a patch for a critical vulnerability in the Docker for Windows subsystem that could be exploited for remote code execution on host machines.
Identified as CVE-2018-8115, the flaw affects the Windows Host Compute Service Shim, a management layer abstraction for low-level Docker functionality such as control groups, namespaces, and file system capabilities.
Microsoft explained in a security advisory that the vulnerability could be exploited by attackers to run arbitrary code on targeted systems.
"To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilising the Host Compute Service Shim library to execute malicious code on the Windows host," Microsoft said.
Version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) fixes the vulnerability.
Swiss software engineer Michael Hanselman discovered the issue, and reported it to Microsoft and Docker in February this year.
While Hanselman has yet to publish full details of the vulnerability and a proof of concept for it, at the behest of Microsoft, he explained that it involves imported Docker images being able to make file system changes outside the containers.
While Microsoft rates the vulnerability as critical, the company said that it has not been exploited, nor publicly disclosed.