Moby is a widely-used open-source container framework developed by Docker Inc. that is distributed in various forms such as Docker, Mirantis Container Runtime, and several other downstream projects/products. A crucial component of Moby is Swarm Mode, which is its built-in container orchestrator that facilitates virtual networking among containers and services across a cluster using overlay network driver. One of the advanced features of the overlay network driver is its support for encrypted mode, which ensures secure communication between nodes by using IPsec encapsulation. However, a vulnerability (CVE-2023-28840) has been discovered in Moby's encrypted overlay network implementation that may expose it to packet injection attacks. In this post, we will delve into the details of this vulnerability, including its potential impact and exploit, as well as the patch and some workarounds.

The Vulnerability: CVE-2023-28840

The vulnerability in question is related to the iptables rules that Moby installs for enforcing IPSec on encrypted overlay networks. It has been found that administrator-set iptables rules take precedence over Moby's rules for discarding unencrypted VXLAN datagrams. Consequently, an attacker could potentially inject arbitrary Ethernet frames into the overlay network, ultimately leading to denial of service attacks or other escalations.

Here is an example of how an iptables rule can be crafted to exploit this vulnerability

iptables -A INPUT -p udp --dport 4789 -j DROP

The above rule, when set by a system administrator, will prepend Moby's rules and allow for the injection of unencrypted Ethernet frames into the encrypted overlay network.

The Exploit Potential

An attacker who successfully exploits this vulnerability could potentially cause the denial of service by flooding the overlay network with unauthorized packets. Moreover, they could establish outbound connections that would usually be blocked by a stateful firewall or even smuggle packets into the overlay network, resulting in further security escalations.

Patch and Workarounds

The Moby team released patches in Moby versions 23..3 and 20.10.24 to address this vulnerability. Users of the Mirantis Container Runtime platform should update to version 20.10.16 due to their different versioning scheme.

However, if updating is not possible or convenient, there are some workarounds to consider

1. Close the VXLAN port (default: UDP port 4789) to incoming traffic at the Internet boundary. This will prevent all VXLAN packet injections from external sources.

2. Ensure that the xt_u32 kernel module is available on all nodes of the Swarm cluster to enable proper functioning of Moby's iptables rules.

Final Words

CVE-2023-28840 is a critical vulnerability impacting Moby's encrypted overlay networks, and it may open the door to various attacks, including denial of service and other escalations. It is essential to install the available patch for your Moby distribution or, if not feasible, apply one of the suggested workarounds to mitigate the risk. In addition, system administrators are advised to regularly review iptables rulesets and ensure they do not inadvertently compromise security.

- Moby Project: https://github.com/opencontainers/runc
- Docker Official Documentation: https://docs.docker.com/engine/reference/commandline/dockerd
- Vulnerability Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28840
- Patch Release Announcement: https://github.com/moby/moby/releases

Timeline

Published on: 04/04/2023 22:15:00 UTC
Last modified on: 04/14/2023 15:23:00 UTC