CVE-2023-28841 Overview
CVE-2023-28841 is a cryptographic vulnerability affecting Moby, the open source container framework developed by Docker Inc. This vulnerability impacts the encrypted overlay network functionality in Docker Swarm Mode, causing encrypted overlay networks to silently transmit unencrypted data. The vulnerability stems from missing enforcement of IPSec encryption due to the absence of the xt_u32 kernel module, resulting in complete loss of confidentiality for network traffic that users expect to be encrypted.
Critical Impact
Encrypted overlay networks silently transmit unencrypted data, allowing attackers in a network position to intercept all application traffic including database communications, internal APIs, and sensitive user data without any indication of failure.
Affected Products
- Moby versions prior to 23.0.3
- Moby versions prior to 20.10.24
- Mirantis Container Runtime versions prior to 20.10.16
Discovery Timeline
- April 4, 2023 - CVE-2023-28841 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-28841
Vulnerability Analysis
This vulnerability represents a Missing Encryption of Sensitive Data flaw (CWE-311) in Docker's Swarm Mode overlay network driver. The overlay network driver is a core feature of Swarm Mode that provides isolated virtual LANs for container communication across cluster nodes. When encryption is enabled, the driver uses IPsec Encapsulating Security Payload (ESP) protocol in Transport mode to encapsulate VXLAN datagrams, providing source authentication, data integrity, and confidentiality.
The critical issue occurs during endpoint setup on encrypted overlay networks. Moby installs three iptables rules that rely on the xt_u32 kernel module to filter VXLAN packets by their VNI (VXLAN Network ID) field and enforce IPSec encapsulation. When this kernel module is unavailable, the iptables rules fail silently, and the encryption enforcement is completely bypassed without any warning to administrators.
Root Cause
The root cause lies in the silent failure behavior when the xt_u32 kernel module is not loaded or available on Swarm cluster nodes. The overlay network driver does not verify that the required kernel module is present before configuring encrypted networks. When the module is missing, the iptables rules that designate outgoing VXLAN datagrams for IPsec encapsulation cannot be properly enforced.
The vulnerable code path in the libnetwork encryption implementation fails to validate that the xt_u32 module is loaded before attempting to configure encrypted networking, resulting in a false sense of security where networks appear functional but lack any cryptographic protection.
Attack Vector
This vulnerability is exploitable over the network by attackers positioned to intercept traffic between Docker Swarm nodes. The attack does not require authentication or user interaction - an attacker simply needs to be in a position to capture VXLAN traffic on UDP port 4789 (the default VXLAN port).
The attack scenario involves passive network interception where the attacker monitors unencrypted VXLAN traffic that should have been protected by IPsec. Since the traffic is transmitted in plaintext, the attacker can read all application-layer data including database queries, API calls, authentication tokens, and any other sensitive information traversing the overlay network. This is particularly dangerous because organizations deploying encrypted overlay networks often do not implement additional encryption layers at the application level, assuming the network encryption provides adequate protection.
Detection Methods for CVE-2023-28841
Indicators of Compromise
- Unencrypted VXLAN traffic (UDP port 4789) visible in network captures between Swarm nodes that should be using encrypted overlay networks
- Missing xt_u32 kernel module on Docker Swarm cluster nodes (verify with lsmod | grep xt_u32)
- Iptables rules for overlay network encryption showing errors or missing entries
Detection Strategies
- Monitor network traffic between Swarm nodes for unencrypted VXLAN packets on UDP port 4789 when encrypted overlay networks are configured
- Implement automated checks during container deployment to verify the xt_u32 kernel module is loaded on all cluster nodes
- Review Docker daemon logs for any warnings related to iptables rule configuration failures
Monitoring Recommendations
- Deploy network intrusion detection systems (IDS) to identify plaintext traffic on ports expected to carry encrypted data
- Create automated alerts for kernel module availability on Swarm cluster nodes
- Implement periodic security audits of Docker Swarm configurations to verify encryption is functioning as expected
How to Mitigate CVE-2023-28841
Immediate Actions Required
- Update Moby/Docker to version 23.0.3 or later, or version 20.10.24 or later for the 20.10 branch
- For Mirantis Container Runtime users, update to version 20.10.16 or later
- Verify that the xt_u32 kernel module is loaded on all Swarm cluster nodes before relying on encrypted overlay networks
- Close UDP port 4789 (VXLAN) to outgoing traffic at the Internet boundary to prevent unintentional data leakage
Patch Information
Patches are available in Moby releases 23.0.3 and 20.10.24. The fixes address the silent failure behavior and provide proper validation of encryption prerequisites. For detailed patch information, see GitHub Moby Pull Request #45118 and the official GitHub Security Advisory GHSA-33pg-m6jh-5237.
Workarounds
- Ensure the xt_u32 kernel module is available and loaded on all nodes in the Swarm cluster before deploying encrypted overlay networks
- Block outgoing VXLAN traffic (UDP port 4789) at network perimeter firewalls to prevent unencrypted data from leaving the trusted network
- Implement application-layer encryption (TLS/mTLS) for all sensitive communications within Docker containers as defense-in-depth
# Verify xt_u32 kernel module is loaded
lsmod | grep xt_u32
# Load the module if not present
modprobe xt_u32
# Block VXLAN port at firewall (example using iptables)
iptables -A OUTPUT -p udp --dport 4789 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
