Moby, an open-source container framework, plays a crucial role in the Docker Engine, Docker Desktop, and other container tooling or runtime distributions. A vulnerability has been found in Moby version 26.. that involves network interfaces with IPv6. This issue arises when IPv6 has not been disabled for these interfaces, including those belonging to networks that have --ipv6=false. This post will discuss the vulnerability, provide code snippets, reference links, and exploit details, to help users understand and mitigate the issue.
Description of the Vulnerability
The vulnerability (CVE-2024-32473) arises in Moby 26.. when IPv6 is enabled on network interfaces even in cases where it should be disabled. Due to this vulnerability, containers with an ipvlan or macvlan interface are configured to access an external network link directly from the host machine. This direct access can lead to the following issues:
Containers may communicate with other hosts on the local network using link-local IPv6 addresses.
2. If router advertisements are being broadcast over the local network, containers may receive SLAAC-assigned addresses.
The interface will be a member of IPv6 multicast groups.
It is important to note that interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface due to this vulnerability.
Resolution
The vulnerability in Moby 26.. was patched in version 26..2. Users are advised to update to this version to avoid any potential security risks. In addition, to completely disable IPv6 in a container, you can use the following command:
docker create --sysctl=net.ipv6.conf.all.disable_ipv6=1 <container_image>
Or, you can use the following command when running a container
docker run --sysctl=net.ipv6.conf.all.disable_ipv6=1 <container_image>
Alternatively, you can disable IPv6 in the service configuration of a compose file by using
services:
<service_name>:
image: <container_image>
sysctls:
- "net.ipv6.conf.all.disable_ipv6=1"
Conclusion
This post has covered Moby's vulnerability (CVE-2024-32473) that involves IPv6 network interfaces and containers. By updating Moby to version 26..2 and implementing the provided code snippets in Docker commands or Compose files, users can mitigate the inherent security risks. More information on this vulnerability and its patch can be found in the following original references:
- Moby GitHub Repository
- Moby 26..2 Release Notes
- Docker Documentation: Disabling IPv6
Timeline
Published on: 04/18/2024 22:15:10 UTC
Last modified on: 04/19/2024 13:10:25 UTC