CVE-2024-32473: Moby IPv6 enabled on IPv4-only network interfaces

Published Apr 18, 2024
·
Updated

In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where --ipv6=false.

Impact

A container with an ipvlan or macvlan interface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled:

- Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses. - If router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses. - The interface will be a member of IPv6 multicast groups.

This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface.

A container with an unexpected IPv6 address can do anything a container configured with an IPv6 address can do. That is, listen for connections on its IPv6 address, open connections to other nodes on the network over IPv6, or attempt a DoS attack by flooding packets from its IPv6 address. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L (2.7).

Because the container may not be constrained by an IPv6 firewall, there is increased potential for data exfiltration from the container. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (4.7).

A remote attacker could send malicious Router Advertisements to divert traffic to itself, a black-hole, or another device. The same attack is possible today for IPv4 macvlan/ipvlan endpoints with ARP spoofing, TLS is commonly used by Internet APIs to mitigate this risk. The presence of an IPv6 route could impact the container's availability by indirectly abusing the behaviour of software which behaves poorly in a dual-stack environment. For example, it could resolve a name to a DNS AAAA record and keep trying to connect over IPv6 without ever falling back to IPv4, potentially denying service to the container. This has CVSS score AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.5).

Patches

The issue is patched in 26.0.2.

Workarounds

To completely disable IPv6 in a container, use --sysctl=net.ipv6.conf.all.disableipv6=1 in the docker create or docker run command. Or, in the service configuration of a compose file, the equivalent:

sysctls: - net.ipv6.conf.all.disableipv6=1

References

- sysctl configuration using docker run: - https://docs.docker.com/reference/cli/docker/container/run/#sysctl - sysctl configuration using docker compose: - https://docs.docker.com/compose/compose-file/compose-file-v3/#sysctls

Other sources

Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where --ipv6=false. An container with an ipvlan or macvlan interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use --sysctl=net.ipv6.conf.all.disableipv6=1 in the docker create or docker run command. Or, in the service configuration of a compose file.

MITRE

Affected Software

2 affected componentsFixes available
go/github.com/docker/docker>=26.0.0<26.0.2
26.0.2
Mobyproject Moby>=26.0.0<26.0.2

Remediation

Patch Available

https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642

Event History

Apr 18, 2024
Advisory Published
via GitHub·09:52 PM
CVE Published
via MITRE·09:55 PM
Data Sourced
via MITRE·09:55 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:15 PM
RemedyAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-32473?

CVE-2024-32473 is considered a critical vulnerability due to potential exposure of sensitive network traffic.

2

How do I fix CVE-2024-32473?

To fix CVE-2024-32473, upgrade to version 26.0.2 of the affected Docker package.

3

What versions are affected by CVE-2024-32473?

CVE-2024-32473 affects versions 26.0.0 and 26.0.1 of the Docker package.

4

What issues does CVE-2024-32473 introduce?

CVE-2024-32473 introduces a risk of IPv6 being enabled on network interfaces even when specified to be disabled.

5

Who is affected by CVE-2024-32473?

Users running Docker versions 26.0.0 and 26.0.1 that utilize ipvlan or macvlan interfaces are affected by CVE-2024-32473.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203