Arbitrary Code Execution Affecting github.com/weaveworks/weave package, versions <2.6.3


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMWEAVEWORKSWEAVE-571285
  • published4 Jun 2020
  • disclosed4 Jun 2020
  • creditUnknown

Introduced: 4 Jun 2020

CVE-2020-11091  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade github.com/weaveworks/weave to version 2.6.3 or higher.

Overview

github.com/weaveworks/weave is a package that provides simple, resilient multi-host containers networking.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not disabled on the host (via ipv6.disable=1 on the kernel command line), it will be either unconfigured or configured on some interfaces, but it's pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0.

Also by default, /proc/sys/net/ipv6/conf/accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.By sending rogue router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. A combination with the existence of CVE-2019-3462 on the host can allow escalation to the host. Weave Net version 2.6.3 disables the accept_ra option on the veth devices that it creates.

CVSS Base Scores

version 3.1