CVE-2023-28841 - Unencrypted Traffic Vulnerability in Moby's Overlay Network Driver

Description: Recently, a vulnerability (CVE-2023-28841) was discovered in Moby's overlay network driver that could result in encrypted overlay networks on affected platforms silently transmitting unencrypted data.

Affected Frameworks and Products

- Moby, an open-source container framework developed by Docker Inc., is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products.
- Swarm Mode is a compiled, built-in container orchestrator that is implemented through SwarmKit and supporting network code. It is present in most major Moby downstreams.

Vulnerability Details

The vulnerability lies in the overlay network driver implementation, which allows the creation of isolated virtual LANs for communication between containers and services across the Swarm Mode cluster. This driver utilizes the VXLAN protocol, which encapsulates link-layer (Ethernet) frames in UDP datagrams with VXLAN Network ID (VNI) metadata.

The overlay network driver also supports an optional encrypted mode using the IPsec Encapsulating Security Payload (ESP) protocol in Transport mode. This mode provides confidentiality, data integrity, and source authentication for communications between the containers. Moby installs three iptables rules to enforce incoming and outgoing IPsec for encrypted overlay networks.

However, due to this vulnerability, encrypted overlay networks on affected platforms may silently transmit unencrypted data, which could potentially be read by an attacker sitting in a trusted position on the network. This can lead to unexpected secrets or user data disclosure.

Patches are available in Moby releases 23..3 and 20.10.24. Mirantis Container Runtime users should update to 20.10.16.

Workarounds

Users can close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary to prevent unintentionally leaking unencrypted traffic over the Internet. Alternatively, users can ensure that the xt_u32 kernel module is available on all nodes of the Swarm cluster.

References

- Original CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28841
- Moby GitHub Repository: https://github.com/moby/moby
- SwarmKit GitHub Repository: https://github.com/docker/swarmkit
- VXLAN Protocol Specification: https://tools.ietf.org/html/rfc7348
- IPsec Encapsulating Security Payload (ESP) Protocol: https://tools.ietf.org/html/rfc4303

Example Code Snippet

def setup_iptables_rules(vni):
    """
    Set up iptables rules for encrypted overlay networks.
    """
    iptables.add_rule("INPUT -p udp --destination-port %d -m u32 --u32 'x%X' -j DROP" % (VXLAN_PORT, vni))
    iptables.add_rule("OUTPUT -p udp --source-port %d -m u32 --u32 'x%X' -j DROP" % (VXLAN_PORT, vni))

Conclusion

To ensure the security of your Moby-based container deployments, it is essential to patch the affected Moby releases or apply the recommended workarounds. By doing so, you can help prevent the unintentional disclosure of sensitive information and maintain the confidentiality and integrity of your application's traffic.

Timeline

Published on: 04/04/2023 22:15:00 UTC
Last modified on: 04/14/2023 15:46:00 UTC