CVE-2023-28840 Overview
CVE-2023-28840 is a network security bypass vulnerability in Moby, the open source container framework developed by Docker Inc. that powers Docker, Mirantis Container Runtime, and various other downstream container projects. The vulnerability affects the encrypted overlay network driver in Swarm Mode, which provides isolated virtual LANs for container communication across clusters using VXLAN encapsulation with optional IPsec encryption.
The flaw stems from improper iptables rule ordering when configuring encrypted overlay networks. When Moby sets up IPsec enforcement rules, they are appended to the end of the INPUT filter chain rather than being prioritized, allowing administrator-set rules to take precedence and potentially admit unencrypted VXLAN datagrams that should have been discarded.
Critical Impact
Attackers with network access can inject arbitrary Ethernet frames into encrypted overlay networks, enabling Denial of Service attacks, bypassing stateful firewalls, or smuggling malicious packets into the container network.
Affected Products
- Moby versions prior to 23.0.3
- Moby versions prior to 20.10.24
- Mirantis Container Runtime versions prior to 20.10.16
Discovery Timeline
- April 4, 2023 - CVE CVE-2023-28840 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-28840
Vulnerability Analysis
The encrypted overlay network feature in Docker/Moby Swarm Mode uses VXLAN to encapsulate Ethernet frames in UDP datagrams tagged with a VXLAN Network ID (VNI). When encryption is enabled, these VXLAN datagrams are further encapsulated using IPsec Encapsulating Security Payload (ESP) protocol in Transport mode, providing authentication, integrity, and confidentiality.
To enforce IPsec on encrypted overlay networks, Moby installs iptables rules using the xt_u32 kernel module to filter on the VNI field of VXLAN packets. Two critical rules are designed to discard incoming unencrypted VXLAN datagrams matching encrypted network VNIs. However, these rules are appended to the end of the INPUT chain, meaning any pre-existing administrator rules that accept VXLAN traffic will match first and bypass the security enforcement.
This creates a scenario where the encryption guarantees provided by IPsec—source authentication, data integrity, and confidentiality—can be completely circumvented by an attacker capable of sending crafted VXLAN packets to the target node.
Root Cause
The root cause is an iptables rule ordering vulnerability (CWE-420: Unprotected Alternate Channel). When Moby configures encrypted overlay networks, the IPsec enforcement rules are appended to the INPUT filter chain rather than inserted at a position that ensures they take precedence over any existing rules. This design flaw allows pre-existing rules (such as general VXLAN acceptance rules) to process and accept unencrypted traffic before Moby's security rules can reject it.
Additionally, a secondary weakness relates to observable discrepancy (CWE-203) where the system's behavior when processing encrypted versus unencrypted packets may leak information about the network configuration.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication. An attacker positioned on the network path between Swarm nodes can:
- Identify Target Networks: Discover VXLAN Network IDs (VNIs) used by encrypted overlay networks through traffic analysis or configuration disclosure
- Craft Malicious Packets: Create unencrypted VXLAN datagrams with the target VNI that encapsulate arbitrary Ethernet frames
- Inject Traffic: Send these packets to the target node's VXLAN port (UDP 4789 by default), bypassing the IPsec encryption requirement
- Execute Attack Payloads: Leverage the injected frames for DoS attacks, firewall bypass via outbound gateway connections, or packet smuggling into the overlay network
The attack complexity is high as it requires specific network positioning and knowledge of the target configuration, but no privileges or user interaction are required.
Detection Methods for CVE-2023-28840
Indicators of Compromise
- Unexpected unencrypted VXLAN traffic on UDP port 4789 destined for Swarm nodes
- Anomalous network connections originating from containers that bypass expected firewall policies
- iptables rule inspection showing Moby security rules positioned after permissive VXLAN rules
- Network traffic analysis revealing non-IPsec VXLAN packets with VNIs belonging to encrypted overlay networks
Detection Strategies
- Monitor and alert on VXLAN traffic (UDP 4789) that lacks IPsec ESP encapsulation when encryption is expected
- Implement network intrusion detection rules to identify VXLAN packet injection attempts from external sources
- Regularly audit iptables rule ordering using iptables -L INPUT -n -v --line-numbers to verify Moby's security rules
- Deploy SentinelOne Singularity for container environments to detect anomalous network behavior and policy violations
Monitoring Recommendations
- Enable detailed logging for iptables rule matches on VXLAN-related chains
- Implement network flow analysis to baseline normal encrypted overlay traffic patterns
- Configure alerts for any VXLAN traffic originating from outside the trusted Swarm cluster
- Monitor container network namespaces for unexpected connections that could indicate successful packet injection
How to Mitigate CVE-2023-28840
Immediate Actions Required
- Update Moby/Docker to version 23.0.3 or later immediately
- For legacy installations, update to Moby version 20.10.24 or later
- Mirantis Container Runtime users should update to version 20.10.16 or later
- Review and audit iptables rule ordering on all Swarm cluster nodes
Patch Information
Patches addressing this vulnerability are available in Moby releases 23.0.3 and 20.10.24. The fix ensures that IPsec enforcement rules for encrypted overlay networks are properly prioritized in the iptables INPUT chain, preventing bypass through rule ordering issues. For detailed patch information, see the GitHub Pull Request #45118 and the official security advisories.
Workarounds
- Block incoming VXLAN traffic (UDP port 4789) at the network perimeter/Internet boundary to prevent external packet injection
- Ensure the xt_u32 kernel module is available and loaded on all Swarm cluster nodes for proper VNI-based filtering
- Manually adjust iptables rule ordering to prioritize Moby's encrypted overlay security rules
- Consider using WireGuard or external VPN solutions for inter-node encryption as an alternative to Swarm's built-in encryption
# Block external VXLAN traffic at the firewall boundary
iptables -I INPUT -p udp --dport 4789 -s ! <trusted_swarm_network> -j DROP
# Verify xt_u32 module is loaded
lsmod | grep xt_u32
modprobe xt_u32
# Check current iptables rule ordering for INPUT chain
iptables -L INPUT -n -v --line-numbers | grep -E "(4789|VXLAN)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
