CVE-2023-28842
Authentication Bypass vulnerability in docker (Go)
What is CVE-2023-28842 About?
This vulnerability is an authentication bypass in Docker Swarm's encrypted overlay network when configured with a single endpoint. It allows unauthorized access to the network, potentially compromising the integrity and confidentiality of communications. Exploitation is likely straightforward due to the lack of proper authentication.
Affected Software
- github.com/docker/docker
- >23.0.0, <23.0.3
- >1.12.0, <20.10.24+incompatible
- >1.12.0, <20.10.24
Technical Details
The vulnerability lies within Docker Swarm's encrypted overlay network implementation when it operates with a single endpoint. In this specific configuration, the network fails to enforce authentication mechanisms, rendering it insecure. Attackers can leverage this lack of authentication to gain unauthorized entry into the network, bypassing expected security controls that should protect network communications and resources.
What is the Impact of CVE-2023-28842?
Successful exploitation may allow attackers to gain unauthorized access to the network, intercept or inject network traffic, and compromise the integrity and confidentiality of data transmitted within the Docker Swarm environment.
What is the Exploitability of CVE-2023-28842?
Exploitation of this vulnerability is likely low to medium complexity, as it primarily involves identifying a misconfigured Docker Swarm setup (single endpoint encrypted overlay network) and then directly accessing the unauthenticated network. There are no authentication requirements as the vulnerability explicitly states a lack of authentication. Privilege requirements are minimal on the attacker's side once network access is achieved. This is a remote vulnerability, allowing attackers to target vulnerable Swarm networks from external locations. The key special condition is the specific configuration of the Docker Swarm network. Risk factors that increase exploit likelihood include publicly exposed Docker Swarm environments and a lack of proper network segmentation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28842?
Available Upgrade Options
- github.com/docker/docker
- >1.12.0, <20.10.24+incompatible → Upgrade to 20.10.24+incompatible
- github.com/docker/docker
- >1.12.0, <20.10.24 → Upgrade to 20.10.24
- github.com/docker/docker
- >23.0.0, <23.0.3 → Upgrade to 23.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- https://nvd.nist.gov/vuln/detail/CVE-2023-28842
- https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333
- https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp
- https://github.com/moby/moby
- https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237
- https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237
What are Similar Vulnerabilities to CVE-2023-28842?
Similar Vulnerabilities: CVE-2021-41091 , CVE-2020-13437 , CVE-2019-14271 , CVE-2018-1002102 , CVE-2017-15688
