Vulnerability Details : CVE-2020-11091
In Weave Net before version 2.6.3, an attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it's pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them. By sending rogue router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance you also have on the host a vulnerability like last year's RCE in apt (CVE-2019-3462), you can now escalate to the host. Weave Net version 2.6.3 disables the accept_ra option on the veth devices that it creates.
Products affected by CVE-2020-11091
- cpe:2.3:a:weave:weave_net:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11091
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11091
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N |
1.3
|
4.0
|
NIST | |
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N |
1.3
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2020-11091
-
The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-11091
-
https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60
Merge pull request #3801 from weaveworks/disable-accept-ra · weaveworks/weave@15f21f1 · GitHubPatch;Third Party Advisory
-
https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73
IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements · Advisory · weaveworks/weave · GitHubThird Party Advisory
Jump to