Transmission of Private Resources into a New Sphere ('Resource Leak') Affecting github.com/moby/moby/integration/network/ipvlan package, versions >=26.0.0 <26.0.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMOBYMOBYINTEGRATIONNETWORKIPVLAN-6663325
  • published 19 Apr 2024
  • disclosed 18 Apr 2024
  • credit Albin Kerouanton

How to fix?

Upgrade github.com/moby/moby/integration/network/ipvlan to version 26.0.2 or higher.

Overview

Affected versions of this package are vulnerable to Transmission of Private Resources into a New Sphere ('Resource Leak') due to the misconfiguration of network interfaces where IPv6 is not disabled as expected. This misconfiguration allows for unintended IPv6 communication capabilities on interfaces, including those designated for IPv4-only traffic. An attacker can exploit this to perform activities such as communicating with other hosts on the local network over link-local IPv6 addresses, receiving SLAAC-assigned addresses through router advertisements, and joining IPv6 multicast groups. This increases the attack surface by enabling unexpected network behaviors and potential data exfiltration opportunities. Additionally, malicious router advertisements could be used to divert traffic, creating potential for denial of service or traffic interception.

Workaround

This vulnerability can be mitigated by disabling IPv6 in the container using --sysctl=net.ipv6.conf.all.disable_ipv6=1 in the docker create or docker run command, or equivalently in a compose file.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.9 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    High