CVE-2023-28840
Denial of Service vulnerability in docker (Go)
What is CVE-2023-28840 About?
This vulnerability affects Moby's Swarm Mode encrypted overlay networks on specific Red Hat Enterprise Linux (RHEL) derivatives, allowing unencrypted VXLAN datagrams to be silently accepted. This can lead to a Denial of Service by injecting arbitrary Ethernet frames. Exploitation is complex, requiring specific kernel module unavailability and network access, making it difficult to achieve a substantial impact.
Affected Software
- github.com/docker/docker
- >23.0.0, <23.0.3
- >1.12.0, <20.10.24+incompatible
- >1.12.0, <20.10.24
Technical Details
Moby's Swarm Mode encrypted overlay networks are designed to enforce IPSec encapsulation for VXLAN datagrams using iptables rules that filter on the VXLAN Network ID (VNI) via the xt_u32 kernel module. On RHEL 8.3/8.6 (where xt_u32 is moved/deprecated) and RHEL 9 (where it's removed), these crucial iptables rules are not created. Consequently, encrypted overlay networks on affected configurations silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted network, bypassing the intended encryption and authentication. An attacker can then inject arbitrary Ethernet frames encapsulated in VXLAN datagrams into the 'encrypted' overlay network, which can lead to a denial of service due to traffic disruption or potentially more sophisticated attacks by bypassing firewalls or smuggling packets.
What is the Impact of CVE-2023-28840?
Successful exploitation may allow attackers to inject arbitrary Ethernet frames into encrypted overlay networks, potentially leading to a denial of service, bypassing network segmentation, or facilitating further advanced attacks by enabling outbound connections.
What is the Exploitability of CVE-2023-28840?
Exploitation of this vulnerability is complex, requiring specific environmental conditions. It demands network access to the Swarm cluster's VXLAN port (default UDP 4789) and targets a system where the xt_u32 kernel module is unavailable (e.g., Red Hat Enterprise Linux 8.3+, RHEL 9). No explicit authentication is required for injecting the VXLAN datagrams themselves, beyond network access. Privilege requirements are not directly for exploitation, but configuring the system without xt_u32 sets the stage. The attack is remote, involving sending specially crafted VXLAN datagrams over the network. Special conditions include the target system being a node in a Moby Swarm cluster, using an encrypted overlay network, and running an OS where xt_u32 is unavailable or not loaded. The risk increases if the VXLAN port is exposed without proper firewalling at the internet boundary.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28840?
Available Upgrade Options
- github.com/docker/docker
- >1.12.0, <20.10.24 → Upgrade to 20.10.24
- github.com/docker/docker
- >1.12.0, <20.10.24+incompatible → Upgrade to 20.10.24+incompatible
- github.com/docker/docker
- >23.0.0, <23.0.3 → Upgrade to 23.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
- https://nvd.nist.gov/vuln/detail/CVE-2023-28840
- https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333
- https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237
- https://github.com/moby/moby/issues/43382
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp
- https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp
- https://osv.dev/vulnerability/GO-2023-1699
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
What are Similar Vulnerabilities to CVE-2023-28840?
Similar Vulnerabilities: CVE-2023-28841 , CVE-2023-28842 , CVE-2020-13401 , CVE-2022-23772 , CVE-2022-30065
