Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service. The bug, discovered by Ceri Coburn, a researcher at security consultancy Pen Test Partners, exposed Docker for Windows to privilege elevation.

Docker is a container system that lets administrators run applications in their own environments. Containers are a little like virtual machines, but instead of recreating a whole operating system in software, they share a lot of the host OS’s underlying resources. That makes them smaller and more nimble than virtual machines (VMs).

There are two Docker components running under Windows that are important to this vulnerability: Docker Desktop Service (DDS) and Docker Desktop for Windows (DDW). DDS runs in the background, while DDW is the the control panel that lets admins manage their containers.

When DDW opens, it spawns a lot of child processes in Windows that support container management. DDS connects to these child processes using a Windows mechanism called a pipe that allows different processes to communicate with each other.

DDS operates under a SYSTEM account in Windows which is a very high-privilege account. An attacker gaining access to a SYSTEM account gets the keys to the kingdom.

The vulnerability that Pen Test Partners found uses a Windows feature called impersonation. It allows the server side of a process to impersonate the client side. That’s because client processes often need the server process to carry out system tasks in their name.