CVE-2020-11091

Name of the Vulnerable Software and Affected Versions Weave Net versions prior to 2.6.3

Description An attacker able to run a process as root in a container can respond to DNS requests from the host and insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host, it may be unconfigured or configured on some interfaces. The combination of IPv6 forwarding being disabled and the host accepting router advertisements means that the host can be reconfigured using rogue router advertisements. This allows an attacker to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even without initial IPv6 traffic, if the DNS returns both A and AAAA records, many HTTP libraries will try to connect via IPv6 first, giving the attacker an opportunity to respond.

Recommendations For Weave Net versions prior to 2.6.3, users should not run containers with CAP NET RAW capability as a workaround. Update to Weave Net version 2.6.3, which disables the accept ra option on the veth devices that it creates, to resolve the issue.