Moby is an open-source container framework developed by Docker Inc., and is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. A critical vulnerability, CVE-2023-28842, has been identified in the Moby daemon component (dockerd), which is commonly referred to as *Docker*. This vulnerability affects the Swarm Mode, which is the built-in container orchestration tool that is delivered by default with dockerd.

The vulnerability is related to the overlay network driver in Swarm Mode which supports an optional encrypted mode. The encryption is implemented using the IPsec Encapsulating Security Payload protocol in Transport mode, providing source authentication, data integrity, and confidentiality. However, it has been discovered that encrypted overlay networks silently accept cleartext VXLAN datagrams tagged with the VNI of an encrypted overlay network. This makes it possible for malicious actors to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.

For a more in-depth analysis of the implications, refer to GHSA-vwm3-crmr-xfxw [Link to reference]. Patches addressing this vulnerability are available in Moby releases 23..3, and 20.10.24. Users of Mirantis Container Runtime should update to 20.10.16, as their release numbering is different.

There are some workarounds available to mitigate this vulnerability in the meantime

1. In multi-node clusters, deploy a global 'pause' container for each encrypted overlay network, on every node.
2. For single-node clusters, avoid using overlay networks altogether and opt for bridge networks, which provide the same connectivity on a single node without the multi-node features.
3. Disable the Swarm ingress feature by publishing ports in host mode instead of ingress mode, allowing the use of an external load balancer, and removing the ingress network.
4. For environments where encrypted overlay networks are exclusively in use, block UDP port 4789 from traffic that has not been validated by IPSec.

The Moby project has acknowledged this vulnerability and recommends affected users to update their installation to the patched versions or apply the suggested workarounds. The patched versions have addressed the issue by ensuring that iptables rules are created to prevent encrypted overlay networks from accepting unencrypted packets. Stay updated on the progress and discussion regarding this vulnerability by following the original Moby issue and Moby PR.

Timeline

Published on: 04/04/2023 22:15:00 UTC
Last modified on: 04/14/2023 15:55:00 UTC