CVE-2020-11091 Explained : Impact and Mitigation

In Weave Net before version 2.6.3, an attacker running a process as root in a container can respond to DNS requests from the host, allowing them to pose as a fake service. This vulnerability can lead to Man-in-the-Middle (MitM) attacks via IPv6 rogue router advertisements.

Understanding CVE-2020-11091

What is CVE-2020-11091?

CVE-2020-11091 is a vulnerability in Weave Net versions prior to 2.6.3 that enables attackers to manipulate DNS requests and redirect IPv6 traffic to a malicious container.

The Impact of CVE-2020-11091

The vulnerability allows attackers to intercept and redirect IPv6 traffic, potentially leading to unauthorized access and data compromise within affected clusters.

Technical Details of CVE-2020-11091

Vulnerability Description

Attackers running a process as root in a container can respond to DNS requests from the host, posing as a fake service.
By sending rogue router advertisements, attackers can redirect IPv6 traffic to a controlled container.

Affected Systems and Versions

Product: Weave
Vendor: Weaveworks
Versions Affected: < 2.6.3

Exploitation Mechanism

Attacker exploits the acceptance of router advertisements by the host to redirect IPv6 traffic.
DNS responses containing both IPv4 and IPv6 records can be manipulated to intercept traffic.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to Weave Net version 2.6.3 or newer to mitigate the vulnerability.
Disable IPv6 on the host if not required to prevent potential exploitation.

Long-Term Security Practices

Regularly update and patch software to address known vulnerabilities.
Implement network segmentation and access controls to limit the impact of potential attacks.
Monitor network traffic for suspicious activities and unauthorized access attempts.

Patching and Updates

Weave Net version 2.6.3 addresses the vulnerability by disabling the accept_ra option on veth devices.