Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2020-13401

CVE-2020-13401: Docker Engine DOS Vulnerability

CVE-2020-13401 is a denial of service flaw in Docker Engine that allows attackers with CAP_NET_RAW capability to craft IPv6 router advertisements. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2020-13401 Overview

An issue was discovered in Docker Engine before version 19.03.11 that allows an attacker within a container, possessing the CAP_NET_RAW capability, to craft malicious IPv6 router advertisements. This vulnerability enables external IPv6 host spoofing, sensitive information disclosure, or denial of service attacks against networked systems.

Critical Impact

Attackers with container access and CAP_NET_RAW capability can spoof IPv6 hosts, intercept network traffic, and disrupt services through malicious router advertisements.

Affected Products

  • Docker Engine (versions before 19.03.11)
  • Fedora 31 and 32
  • Debian Linux 10.0
  • Broadcom SANnav

Discovery Timeline

  • 2020-06-02 - CVE-2020-13401 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-13401

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in Docker Engine's network handling mechanisms. When a container is granted the CAP_NET_RAW Linux capability, it gains the ability to create raw network sockets and craft arbitrary network packets. In vulnerable Docker Engine versions, insufficient restrictions on IPv6 router advertisement packets allow a malicious container to broadcast fraudulent routing information to the host network.

The attack requires network access and exploits the trust relationship between containers and the Docker network bridge. By sending specially crafted ICMPv6 Router Advertisement messages, an attacker can manipulate IPv6 routing tables on the host and potentially other containers sharing the same network segment.

Root Cause

The root cause is improper input validation within Docker Engine's network namespace isolation. The CAP_NET_RAW capability, when granted to containers, provides insufficient restrictions on the types of network packets that can be crafted and transmitted. Specifically, Docker Engine failed to properly filter or restrict ICMPv6 router advertisement messages originating from containers, allowing them to reach and affect the host's networking stack and other connected systems.

Attack Vector

The attack vector is network-based, requiring the attacker to have initial access to a container with the CAP_NET_RAW capability enabled. From this position, the attacker can:

  1. Craft malicious ICMPv6 Router Advertisement packets containing false routing information
  2. Broadcast these packets on the Docker bridge network
  3. Cause hosts and other containers to update their IPv6 routing tables with attacker-controlled routes
  4. Intercept traffic destined for external IPv6 hosts (man-in-the-middle)
  5. Cause denial of service by disrupting legitimate network routing

The vulnerability allows spoofing of external IPv6 hosts, enabling traffic interception and redirection attacks within the container network environment.

Detection Methods for CVE-2020-13401

Indicators of Compromise

  • Unexpected ICMPv6 Router Advertisement packets originating from container IP addresses
  • Changes to IPv6 routing tables on Docker hosts or within container networks
  • Unusual network traffic patterns indicating potential traffic interception or redirection
  • Container processes with CAP_NET_RAW capability actively sending raw network packets

Detection Strategies

  • Monitor Docker container capabilities and alert on containers running with CAP_NET_RAW unless explicitly required
  • Implement network intrusion detection to identify suspicious ICMPv6 Router Advertisement activity
  • Review Docker Engine version across infrastructure and flag instances running versions prior to 19.03.11
  • Analyze container network traffic for anomalous IPv6 routing behavior

Monitoring Recommendations

  • Deploy IPv6 Router Advertisement Guard (RA Guard) on network switches where supported
  • Enable logging for container capability assignments and network configuration changes
  • Implement continuous monitoring of Docker daemon logs for network-related errors or anomalies
  • Use container security platforms to track and alert on privileged capability usage

How to Mitigate CVE-2020-13401

Immediate Actions Required

  • Upgrade Docker Engine to version 19.03.11 or later immediately
  • Audit all running containers for unnecessary CAP_NET_RAW capability and remove where not required
  • Review container security policies to restrict raw network socket capabilities
  • Implement network segmentation to isolate containers from sensitive host networks

Patch Information

Docker has released version 19.03.11 which addresses this vulnerability. The patch is available through the Docker Engine Release Notes and the GitHub Docker CE Release v19.03.11. Linux distribution-specific patches are also available through Debian Security Advisory DSA-4716, Fedora Package Announcements, and Gentoo GLSA 202008-15.

Workarounds

  • Drop the CAP_NET_RAW capability from containers that do not require it using --cap-drop=NET_RAW
  • Use Docker's --sysctl option to disable IPv6 in containers if not needed: --sysctl net.ipv6.conf.all.disable_ipv6=1
  • Implement network policies to restrict container-to-host network communication
  • Consider using rootless Docker mode to reduce the attack surface
bash
# Configuration example
# Run containers without CAP_NET_RAW capability
docker run --cap-drop=NET_RAW --name secure-container your-image:tag

# Disable IPv6 in container if not required
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --name secure-container your-image:tag

# Check Docker Engine version
docker version --format '{{.Server.Version}}'

# Verify container capabilities
docker inspect --format='{{.HostConfig.CapAdd}} {{.HostConfig.CapDrop}}' container-name

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.