CVE-2020-13401 Overview
An issue was discovered in Docker Engine before version 19.03.11 that allows an attacker within a container, possessing the CAP_NET_RAW capability, to craft malicious IPv6 router advertisements. This vulnerability enables external IPv6 host spoofing, sensitive information disclosure, or denial of service attacks against networked systems.
Critical Impact
Attackers with container access and CAP_NET_RAW capability can spoof IPv6 hosts, intercept network traffic, and disrupt services through malicious router advertisements.
Affected Products
- Docker Engine (versions before 19.03.11)
- Fedora 31 and 32
- Debian Linux 10.0
- Broadcom SANnav
Discovery Timeline
- 2020-06-02 - CVE-2020-13401 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-13401
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in Docker Engine's network handling mechanisms. When a container is granted the CAP_NET_RAW Linux capability, it gains the ability to create raw network sockets and craft arbitrary network packets. In vulnerable Docker Engine versions, insufficient restrictions on IPv6 router advertisement packets allow a malicious container to broadcast fraudulent routing information to the host network.
The attack requires network access and exploits the trust relationship between containers and the Docker network bridge. By sending specially crafted ICMPv6 Router Advertisement messages, an attacker can manipulate IPv6 routing tables on the host and potentially other containers sharing the same network segment.
Root Cause
The root cause is improper input validation within Docker Engine's network namespace isolation. The CAP_NET_RAW capability, when granted to containers, provides insufficient restrictions on the types of network packets that can be crafted and transmitted. Specifically, Docker Engine failed to properly filter or restrict ICMPv6 router advertisement messages originating from containers, allowing them to reach and affect the host's networking stack and other connected systems.
Attack Vector
The attack vector is network-based, requiring the attacker to have initial access to a container with the CAP_NET_RAW capability enabled. From this position, the attacker can:
- Craft malicious ICMPv6 Router Advertisement packets containing false routing information
- Broadcast these packets on the Docker bridge network
- Cause hosts and other containers to update their IPv6 routing tables with attacker-controlled routes
- Intercept traffic destined for external IPv6 hosts (man-in-the-middle)
- Cause denial of service by disrupting legitimate network routing
The vulnerability allows spoofing of external IPv6 hosts, enabling traffic interception and redirection attacks within the container network environment.
Detection Methods for CVE-2020-13401
Indicators of Compromise
- Unexpected ICMPv6 Router Advertisement packets originating from container IP addresses
- Changes to IPv6 routing tables on Docker hosts or within container networks
- Unusual network traffic patterns indicating potential traffic interception or redirection
- Container processes with CAP_NET_RAW capability actively sending raw network packets
Detection Strategies
- Monitor Docker container capabilities and alert on containers running with CAP_NET_RAW unless explicitly required
- Implement network intrusion detection to identify suspicious ICMPv6 Router Advertisement activity
- Review Docker Engine version across infrastructure and flag instances running versions prior to 19.03.11
- Analyze container network traffic for anomalous IPv6 routing behavior
Monitoring Recommendations
- Deploy IPv6 Router Advertisement Guard (RA Guard) on network switches where supported
- Enable logging for container capability assignments and network configuration changes
- Implement continuous monitoring of Docker daemon logs for network-related errors or anomalies
- Use container security platforms to track and alert on privileged capability usage
How to Mitigate CVE-2020-13401
Immediate Actions Required
- Upgrade Docker Engine to version 19.03.11 or later immediately
- Audit all running containers for unnecessary CAP_NET_RAW capability and remove where not required
- Review container security policies to restrict raw network socket capabilities
- Implement network segmentation to isolate containers from sensitive host networks
Patch Information
Docker has released version 19.03.11 which addresses this vulnerability. The patch is available through the Docker Engine Release Notes and the GitHub Docker CE Release v19.03.11. Linux distribution-specific patches are also available through Debian Security Advisory DSA-4716, Fedora Package Announcements, and Gentoo GLSA 202008-15.
Workarounds
- Drop the CAP_NET_RAW capability from containers that do not require it using --cap-drop=NET_RAW
- Use Docker's --sysctl option to disable IPv6 in containers if not needed: --sysctl net.ipv6.conf.all.disable_ipv6=1
- Implement network policies to restrict container-to-host network communication
- Consider using rootless Docker mode to reduce the attack surface
# Configuration example
# Run containers without CAP_NET_RAW capability
docker run --cap-drop=NET_RAW --name secure-container your-image:tag
# Disable IPv6 in container if not required
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --name secure-container your-image:tag
# Check Docker Engine version
docker version --format '{{.Server.Version}}'
# Verify container capabilities
docker inspect --format='{{.HostConfig.CapAdd}} {{.HostConfig.CapDrop}}' container-name
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
