CVE-2020-11091 – Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements

https://notcve.org/view.php?id=CVE-2020-11091

In Weave Net before version 2.6.3, an attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it's pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them. By sending rogue router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. • https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60 https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73 • CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •