CVE-2023-28840 – This vulnerability in Docker/Moby's Swarm Mode ... (How to Fix)

Q: What is the severity of CVE-2023-28840?

CVE-2023-28840 has a CVSS score of 7.5 (HIGH). This vulnerability in Docker/Moby's Swarm Mode allows attackers to inject arbitrary Ethernet frames into encrypted overlay networks when administrator iptables rules take precedence over Docker's security rules. This can lead to denial of service or potential packet smuggling. Affected users include anyone running Docker/Moby with Swarm Mode enabled and encrypted overlay networks.

📋 TL;DR

This vulnerability in Docker/Moby's Swarm Mode allows attackers to inject arbitrary Ethernet frames into encrypted overlay networks when administrator iptables rules take precedence over Docker's security rules. This can lead to denial of service or potential packet smuggling. Affected users include anyone running Docker/Moby with Swarm Mode enabled and encrypted overlay networks.

💻 Affected Systems

Products:

Docker
Moby
Mirantis Container Runtime

Versions: All versions before Moby 23.0.3 and 20.10.24 (Mirantis Container Runtime before 20.10.16)

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Only affects systems with Swarm Mode enabled and encrypted overlay networks configured (encrypted mode is off by default).

📦 What is this software?

Moby by Mobyproject

View all CVEs affecting Moby →

Moby by Mobyproject

View all CVEs affecting Moby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sophisticated attacker establishes unauthorized TCP/UDP connections through container gateways, bypassing stateful firewalls to perform network-based attacks or data exfiltration.

🟠

Likely Case

Denial of service through packet injection disrupting encrypted overlay network communications between containers.

🟢

If Mitigated

Minimal impact if proper patching or workarounds are implemented before exploitation attempts.

🌐 Internet-Facing: MEDIUM - Requires access to VXLAN port (UDP 4789) and knowledge of specific VNI values, but automated scanning could identify targets.

🏢 Internal Only: HIGH - Internal attackers with network access to VXLAN traffic can exploit this without internet exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to VXLAN traffic and knowledge of VNI values, but no authentication to Docker daemon is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Moby 23.0.3, 20.10.24; Mirantis Container Runtime 20.10.16

Vendor Advisory: https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp

Restart Required: Yes

Instructions:

1. Stop Docker daemon. 2. Update Docker/Moby to patched version using package manager. 3. Restart Docker daemon. 4. Restart Swarm services if using encrypted overlay networks.

🔧 Temporary Workarounds

Block VXLAN port at network boundary

linux

Close UDP port 4789 to incoming traffic at internet boundary to prevent VXLAN packet injection

iptables -A INPUT -p udp --dport 4789 -j DROP

Ensure xt_u32 kernel module availability

linux

Load xt_u32 kernel module on all Swarm cluster nodes to support proper iptables filtering

modprobe xt_u32
echo 'xt_u32' >> /etc/modules-load.d/docker.conf

🧯 If You Can't Patch

Disable encrypted overlay networks and use alternative network security mechanisms
Implement network segmentation to isolate VXLAN traffic from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Docker version and if using Swarm with encrypted overlay networks: docker version --format '{{.Server.Version}}' && docker network ls --filter driver=overlay --format '{{.Name}}' | xargs -I {} docker network inspect {} --format '{{.Name}}: {{.Options}}' | grep encrypted

Check Version:

docker version --format '{{.Server.Version}}'

Verify Fix Applied:

Verify Docker version is patched: docker version --format '{{.Server.Version}}' | grep -E '23\.0\.3|20\.10\.24'

📡 Detection & Monitoring

Log Indicators:

Unexpected VXLAN packet drops in kernel logs
iptables rule conflicts in system logs

Network Indicators:

Unusual UDP traffic on port 4789 from unexpected sources
VXLAN packets with mismatched encryption flags

SIEM Query:

source="kernel" "VXLAN" AND ("drop" OR "reject") OR source="docker" "overlay" "encrypted"

📊 Metadata

CVE ID: CVE-2023-28840

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-420

Published: April 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333 Vendor Advisory
https://github.com/moby/moby/issues/43382 Exploit,Issue Tracking,Third Party Advisory
https://github.com/moby/moby/pull/45118 Issue Tracking,Patch
https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp Mitigation,Vendor Advisory
https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237 Not Applicable
https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p Not Applicable
https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333 Vendor Advisory
https://github.com/moby/moby/issues/43382 Exploit,Issue Tracking,Third Party Advisory
https://github.com/moby/moby/pull/45118 Issue Tracking,Patch
https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp Mitigation,Vendor Advisory
https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237 Not Applicable
https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p Not Applicable
https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28840, you might also want to check these: