CVE-2017-20198
published 2025-07-23CVE-2017-20198: The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount…
PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.76%
50.6th percentile
The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d2iq_inc | dc_os_marathon | < 1.9.0 | 1.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Marathon UI API calls (unauthenticated) that submit container configurations mounting the host root filesystem '/' with read/write privileges — a strong indicator of exploitation attempts. ↗
- →Alert on new or modified files created under /etc/cron.d/ on DC/OS agent nodes, especially those owned by root and originating from a Docker container process. ↗
- →Detect Docker containers launched via Marathon that run as uid 0 (root) and have host volume mounts — particularly any volume mount targeting '/'. ↗
- →Flag unauthenticated HTTP requests to the Marathon UI endpoint that include container/volume configuration payloads, as the vulnerability allows deployment without authentication on DC/OS < 1.9.0. ↗
- ·Exploitation only succeeds if there are sufficient resources available in the DC/OS cluster to schedule and deploy the malicious container. ↗
- ·The malicious Docker image used must be a valid, pullable image from hub.docker.com — purely local or invalid images will not result in successful container deployment. ↗
- ·The exploit is only effective on systems where the Docker daemon honors Marathon container configurations without policy enforcement (e.g., no AppArmor, SELinux, or admission control blocking privileged volume mounts). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://dcos.io/https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dcos_marathon.rbhttps://web.archive.org/web/20230609134421/https://warroom.rsmus.com/dcos-marathon-compromise/https://www.exploit-db.com/exploits/42134https://www.vulncheck.com/advisories/dcos-marathon-docker-mount-abuse-rce
2025-07-23
Published