CVE-2023-28840

Name of the Vulnerable Software and Affected Versions Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16

Description The issue is related to the use of an unsecured alternative channel in the Swarm Mode of the Moby daemon component. This can enable a Denial of Service attack and potentially allow a sophisticated attacker to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall. The vulnerability is due to the injection of arbitrary Ethernet frames, which can be used to smuggle packets into the overlay network. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. However, the rules set by Moby to discard unencrypted VXLAN datagrams can be overridden by administrator-set rules, potentially admitting unencrypted datagrams that should have been discarded.

Recommendations Update to Moby release 23.0.3 or later. Update to Moby release 20.10.24 or later. Update to Mirantis Container Runtime release 20.10.16 or later. As a temporary workaround, consider closing the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection. Ensure that the xt u32 kernel module is available on all nodes of the Swarm cluster.