CVE-2024-29018

Name of the Vulnerable Software and Affected Versions Moby versions prior to 23.0.11 Moby versions prior to 25.0.4 Moby versions prior to 26.0.0

Description The issue is related to the networking implementation in Moby, which allows for the creation of custom networks with their own IP address range and gateway. When a container is attached to an internal network, it is precluded from communicating with any networks the host has access to. However, due to the design of the dockerd service, internal networks can unexpectedly forward DNS requests to an external nameserver. This can be exploited by an attacker to exfiltrate data from a compromised container by encoding it in DNS queries. The --internal flag is used to designate a network as internal, and the internal attribute in a docker-compose.yml file may also be used to mark a network as internal.

Recommendations For Moby versions prior to 23.0.11, update to version 23.0.11 or later to prevent forwarding DNS requests from internal networks. For Moby versions prior to 25.0.4, update to version 25.0.4 or later to prevent forwarding DNS requests from internal networks. For Moby versions prior to 26.0.0, update to version 26.0.0 or later to prevent forwarding DNS requests from internal networks. As a temporary workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.