2276026 – (CVE-2024-32473) CVE-2024-32473 moby: IPv6 enabled on IPv4-only network interfaces

Bug 2276026 (CVE-2024-32473) - CVE-2024-32473 moby: IPv6 enabled on IPv4-only network interfaces

Summary: CVE-2024-32473 moby: IPv6 enabled on IPv4-only network interfaces

Keywords:
Status:	NEW
Alias:	CVE-2024-32473
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2276009
TreeView+	depends on / blocked

Reported:	2024-04-19 04:10 UTC by Robb Gatica
Modified:	2024-04-22 08:31 UTC (History)
CC List:	18 users (show)
Fixed In Version:	moby 26.0.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Moby, an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling and runtimes. In certain versions, IPv6 is not disabled on network interfaces, including those belonging to networks where "--ipv6=false". A container with an "ipvlan" or "macvlan" interface will normally be configured to share an external network link with the host machine, and because of this direct access, containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses. Additionally, if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses and the interface will be a member of IPv6 multicast groups. This means interfaces IPv4-only networks present an unexpectedly and unnecessarily increased attack surface
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-04-19 04:10:40 UTC

Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface  will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file.

https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642
https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9

Note You need to log in before you can comment on or make changes to this bug.