Transmission of Private Resources into a New Sphere ('Resource Leak') Affecting github.com/moby/moby/integration/network/macvlan package, versions >=26.0.0 <26.0.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMMOBYMOBYINTEGRATIONNETWORKMACVLAN-6663327
- published 19 Apr 2024
- disclosed 18 Apr 2024
- credit Albin Kerouanton
Introduced: 18 Apr 2024
CVE-2024-32473 Open this link in a new tabHow to fix?
Upgrade github.com/moby/moby/integration/network/macvlan to version 26.0.2 or higher.
Overview
Affected versions of this package are vulnerable to Transmission of Private Resources into a New Sphere ('Resource Leak') due to the misconfiguration of network interfaces where IPv6 is not disabled as expected. This misconfiguration allows for unintended IPv6 communication capabilities on interfaces, including those designated for IPv4-only traffic. An attacker can exploit this to perform activities such as communicating with other hosts on the local network over link-local IPv6 addresses, receiving SLAAC-assigned addresses through router advertisements, and joining IPv6 multicast groups. This increases the attack surface by enabling unexpected network behaviors and potential data exfiltration opportunities. Additionally, malicious router advertisements could be used to divert traffic, creating potential for denial of service or traffic interception.
Workaround
This vulnerability can be mitigated by disabling IPv6 in the container using --sysctl=net.ipv6.conf.all.disable_ipv6=1 in the docker create or docker run command, or equivalently in a compose file.