CVE-2023-28841
Information Disclosure vulnerability in docker (Go)
What is CVE-2023-28841 About?
This vulnerability in Moby (Docker Engine) affects Swarm Mode's encrypted overlay networks on specific Linux distributions due to missing iptables rules for IPSec. It leads to the silent transmission of unencrypted data, despite the network being configured for encryption. This allows an attacker in a trusted network position to eavesdrop on application traffic, leading to sensitive information disclosure.
Affected Software
- github.com/docker/docker
- >23.0.0, <23.0.3
- >1.12.0, <20.10.24+incompatible
- >1.12.0, <20.10.24
Technical Details
The vulnerability arises in Moby's Swarm Mode when encrypted overlay networks are used on Red Hat Enterprise Linux (RHEL) and its derivatives, particularly where the xt_u32 kernel module is unavailable or deprecated. Moby uses iptables rules to enforce IPSec encapsulation on outgoing VXLAN datagrams for encrypted overlay networks. These rules rely on the u32 iptables extension, which is provided by the xt_u32 kernel module, to filter packets based on the VXLAN Network ID (VNI). When xt_u32 is not available, the critical iptables rule responsible for designating outgoing VXLAN packets for IPSec encapsulation is not created. Consequently, even if an encrypted overlay network is configured and appears functional, the VXLAN traffic is transmitted unencrypted, silently bypassing the intended confidentiality and data integrity guarantees. An attacker monitoring the network can then intercept this unencrypted traffic.
What is the Impact of CVE-2023-28841?
Successful exploitation may allow attackers to gain unauthorized access to sensitive application traffic, including secrets and user data, leading to a breach of confidentiality.
What is the Exploitability of CVE-2023-28841?
Exploitation of this vulnerability does not require direct interaction with the Moby daemon from the perspective of an attacker controlling the system where Moby runs. Instead, it relies on a specific deployment configuration: running Swarm Mode on affected RHEL distributions where xt_u32 is missing. The attacker needs to be in a 'trusted position on the network' to intercept traffic, implying network access to the communication channels of the overlay network. No authentication or specific privileges on the Docker host are required to trigger the underlying misconfiguration, as it's a deployment-time issue. This is a passive remote compromise where an attacker monitors network traffic. The essential prerequisite is the use of encrypted overlay networks on an affected RHEL system, making the vulnerability systemic rather than requiring active adversarial input to trigger the flaw itself. The risk is high on such platforms due to the silent failure of encryption.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28841?
Available Upgrade Options
- github.com/docker/docker
- >1.12.0, <20.10.24+incompatible → Upgrade to 20.10.24+incompatible
- github.com/docker/docker
- >1.12.0, <20.10.24 → Upgrade to 20.10.24
- github.com/docker/docker
- >23.0.0, <23.0.3 → Upgrade to 23.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
- https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333
- https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237
- https://github.com/moby/moby/issues/43382
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp
- https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207
- https://osv.dev/vulnerability/GO-2023-1700
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
- https://nvd.nist.gov/vuln/detail/CVE-2023-28841
What are Similar Vulnerabilities to CVE-2023-28841?
Similar Vulnerabilities: CVE-2023-28840 , CVE-2023-28842 , CVE-2022-30588 , CVE-2022-23473 , CVE-2021-3564
