CVE-2023-28840: Mobyproject Moby DOS Vulnerability

CVE-2023-28840 Overview

CVE-2023-28840 is a high-severity vulnerability in Moby, the open source container framework developed by Docker Inc. and distributed as Docker, Mirantis Container Runtime, and other downstream products. The flaw affects the Swarm Mode encrypted overlay network driver, which uses VXLAN encapsulated in IPsec to provide isolated, authenticated, and confidential container-to-container communication across cluster nodes. Attackers on the network can inject arbitrary Ethernet frames into encrypted overlay networks by sending unencrypted VXLAN datagrams that bypass the iptables rules Moby installs to enforce IPsec.

Critical Impact

Remote unauthenticated attackers can inject unencrypted frames into encrypted overlay networks, enabling denial of service, firewall bypass, and lateral packet smuggling between containers.

Affected Products

• Moby (moby/moby) versions prior to 23.0.3
• Moby versions prior to 20.10.24
• Mirantis Container Runtime versions prior to 20.10.16

Discovery Timeline

• 2023-04-04 - CVE-2023-28840 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28840

Vulnerability Analysis

Moby's Swarm Mode provides encrypted overlay networks by encapsulating VXLAN datagrams inside the IPsec Encapsulating Security Payload (ESP) protocol in Transport mode. IPsec is responsible for source authentication, data integrity, and confidentiality between Swarm nodes. To enforce that only encrypted traffic enters an encrypted overlay, Moby installs three iptables rules using the u32 extension provided by the xt_u32 kernel module. These rules match on the VXLAN Network Identifier (VNI) field and drop unencrypted VXLAN datagrams targeting encrypted networks.

The enforcement rules are appended to the end of the INPUT filter chain. Any administrator-defined rules earlier in the chain take precedence and can ACCEPT packets before Moby's rules drop them. As a result, unencrypted VXLAN datagrams may reach the overlay network even when IPsec is configured.

The weakness is classified under [CWE-420] Unprotected Alternate Channel and [CWE-203] Observable Discrepancy. The injection of arbitrary Ethernet frames enables denial of service against tenants on the overlay. Sophisticated attackers can establish UDP or TCP connections through a container's outbound gateway that a stateful firewall would otherwise block, or smuggle packets into the overlay for further escalation.

Root Cause

The root cause is rule ordering in the host iptablesINPUT chain. Moby appends its drop rules rather than inserting them at a position that guarantees precedence over user-defined ACCEPT rules. If the xt_u32 kernel module is not loaded, the protective rules fail to install at all, silently leaving the encrypted overlay open to plaintext VXLAN traffic.

Attack Vector

An attacker who can reach the Swarm node on UDP port 4789 (the default VXLAN port) can craft VXLAN datagrams with a VNI matching an encrypted overlay network. Because the datagrams are not protected by IPsec, they reach the overlay bridge and are decapsulated into Ethernet frames inside the target container network. The attacker does not need credentials or user interaction and can perform the attack remotely across any network path that allows UDP/4789 to the victim host.

The vulnerability is described in prose only because no verified exploit code is published. See Moby Security Advisory GHSA-vwm3-crmr-xfxw and libnetwork Advisory GHSA-gvm4-2qqg-m333 for technical details.

Detection Methods for CVE-2023-28840

Indicators of Compromise

• Unexpected UDP traffic to port 4789 originating from hosts outside the Swarm cluster's trusted node set.
• Unencrypted (non-ESP) VXLAN datagrams matching VNIs assigned to encrypted overlay networks.
• Container network interfaces receiving Ethernet frames whose source MAC addresses do not correspond to any known Swarm peer.

Detection Strategies

• Inspect the INPUT chain on each Swarm node with iptables -L INPUT -n -v and verify that no administrator ACCEPT rule precedes Moby's VXLAN drop rules.
• Confirm the xt_u32 kernel module is loaded with lsmod | grep xt_u32; absence indicates the protective rules cannot be installed.
• Capture traffic on UDP/4789 with tcpdump and validate that all VXLAN packets are encapsulated within ESP frames between known node IPs.

Monitoring Recommendations

• Forward host firewall counters and Swarm node network telemetry to a centralized analytics platform for baseline comparison.
• Alert on new or modified iptables rules on Swarm hosts, particularly insertions to the INPUT chain.
• Monitor for kernel module load and unload events affecting xt_u32 and IPsec modules such as esp4 and xfrm.

How to Mitigate CVE-2023-28840

Immediate Actions Required

• Upgrade Moby/Docker Engine to version 23.0.3 or 20.10.24, or upgrade Mirantis Container Runtime to 20.10.16.
• Block inbound UDP port 4789 at the network perimeter and between any untrusted segments and Swarm nodes.
• Verify xt_u32 is available and loaded on every Swarm node before relying on encrypted overlay protections.

Patch Information

Patches are available in Moby releases 23.0.3 and 20.10.24. Mirantis Container Runtime users should update to 20.10.16. The corresponding fix is tracked in moby/moby pull request #45118 and described in GitHub Security Advisory GHSA-232p-vwff-86mp. Fedora package updates are listed in the Fedora package announcements.

Workarounds

• Close the default VXLAN port (UDP/4789) to incoming traffic at the Internet boundary and any untrusted network segment.
• Ensure the xt_u32 kernel module is installed and loaded on all Swarm cluster nodes so Moby's enforcement rules can be applied.
• Audit administrator-managed iptables rules to confirm no earlier ACCEPT rule on the INPUT chain matches VXLAN traffic destined for encrypted overlays.

# Configuration example: block external VXLAN traffic and verify xt_u32
sudo modprobe xt_u32
lsmod | grep xt_u32
sudo iptables -I INPUT -p udp --dport 4789 -m conntrack --ctstate NEW -j DROP
sudo iptables -L INPUT -n -v --line-numbers