Bug 1833233 (CVE-2020-13401) - CVE-2020-13401 docker: IPv6 router advertisements allow for MitM attacks
Summary: CVE-2020-13401 docker: IPv6 router advertisements allow for MitM attacks
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-13401
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1847150 1842338
Blocks: 1833165
TreeView+ depends on / blocked
 
Reported: 2020-05-08 06:30 UTC by Sam Fowler
Modified: 2021-10-28 02:58 UTC (History)
7 users (show)

Fixed In Version: docker 19.03.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Docker when it creates network bridges that accept IPv6 router advertisements by default. This flaw allows an attacker who can execute code in a container to possibly spoof rogue IPv6 router advertisements to perform a man-in-the-middle (MitM) attack against the host network or another container.
Clone Of:
Environment:
Last Closed: 2021-10-28 02:58:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Sam Fowler 2020-05-08 06:30:55 UTC
Docker creates network bridges that accept IPv6 router advertisements by default. An attacker able to execute code in a container could exploit this to spoof rogue IPv6 router advertisements to perform a MitM attack against the host network.

Comment 2 Sam Fowler 2020-05-28 06:18:25 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Etienne Champetier

Comment 6 Sam Fowler 2020-06-01 10:52:10 UTC
Mitigation:

Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.

Comment 10 lnacshon 2020-06-15 12:50:38 UTC
quay.io runs on OpenShift Dedicated- so AFAIK there is no docker runtime available.  The quay.io builders do perform docker builds but these are done within disposable VMs that only exist for the duration of the build.


Note You need to log in before you can comment on or make changes to this bug.