Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.

The version of moby-engine installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-29018 advisory.

  - Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file May also be used to mark a network _internal_, and     other API clients May specify the `internal` parameter as well. When containers with networking are     created, they are assigned unique network interfaces and IP addresses. The host serves as a router for     non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an     internal network May communicate between each other, but are precluded from communicating with any     networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set     up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately     configured host services) is possible, and the host May communicate with any container IP directly. In     addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS     request for a name that does not correspond to a container is received, the request is forwarded to the     configured upstream resolver. This request is made from the container's network namespace: the level of     access and routing of traffic is the same as if the request was made by the container itself. As a     consequence of this design, containers solely attached to an internal network will be unable to resolve     names using the upstream resolver, as the container itself is unable to communicate with that nameserver.
    Only the names of containers also attached to the internal network are able to be resolved. Many systems     run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a     consequence of the design described above is that containers are unable to resolve names from the host's     configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap,     and to allow containers to properly resolve names even when a local forwarding resolver is used on a     loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework     namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as     expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container     network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS     requests to an external nameserver. By registering a domain for which they control the authoritative     nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in     DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as     Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and     23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run     containers intended to be solely attached to internal networks with a custom upstream address, which will     force all upstream DNS queries to be resolved from the container's network namespace. (CVE-2024-29018)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails     to add a not-found netgroup response to the cache, the client request can result in a null pointer     dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability     is only present in the nscd binary.(CVE-2024-33600)

    nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd)     netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer.
    The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present     in the nscd binary.(CVE-2024-33602)

    nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's     (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a     memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in     glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd     binary.(CVE-2024-33601)

    nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size     cache is exhausted by client requests then a subsequent client request for netgroup data may result in a     stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This     vulnerability is only present in the nscd binary.(CVE-2024-33599)

Tenable has extracted the preceding description block directly from the EulerOS glibc security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of docker installed on the remote host is prior to 25.0.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-042 advisory.

    When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial     domain, an http.Client does not forward sensitive headers such as Authorization or Cookie. For     example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to     bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly     forwarded. (CVE-2023-45289)

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6     addresses, returning false for addresses which would return true in their traditional IPv4 forms.
    (CVE-2024-24790)

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well.

    When containers with networking are created, they are assigned unique network interfaces and IP addresses.
    The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from     container IPs.

    Containers on an internal network may communicate between each other, but are precluded from communicating     with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall     rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus     appropriately configured host services) is possible, and the host may communicate with any container IP     directly.

    In addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver.

    When a DNS request for a name that does not correspond to a container is received, the request is     forwarded to the configured upstream resolver. This request is made from the container's network     namespace: the level of access and routing of traffic is the same as if the request was made by the     container itself.

    As a consequence of this design, containers solely attached to an internal network will be unable to     resolve names using the upstream resolver, as the container itself is unable to communicate with that     nameserver. Only the names of containers also attached to the internal network are able to be resolved.

    Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback     devices, a consequence of the design described above is that containers are unable to resolve names from     the host's configured resolver, as they cannot reach these addresses on the host loopback device. To     bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver     is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the     host namework namespace. The loopback resolver then forwards the requests to its configured upstream     resolvers, as expected.

    Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network     namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to     an external nameserver. By registering a domain for which they control the authoritative nameservers, an     attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that     will eventually be answered by their nameservers.

    Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.

    Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal     networks. As a workaround, run containers intended to be solely attached to internal networks with a     custom upstream address, which will force all upstream DNS queries to be resolved from the container's     network namespace. (CVE-2024-29018)

    AWS is aware of CVE-2024-41110, an issue affecting the Moby open source project, packaged in Amazon Linux     as docker. Docker is a component of several open source container management systems.

    This issue does not affect the default configuration of docker. If an authorization plugin is enabled, a     specially-crafted API request to the docker daemon will be forwarded to the authorization plugin in a way     that could lead to unintended actions, such as privilege escalation. Enabling an authorization plugin is     an atypical configuration. The affected API endpoint is not exposed to the network in either the default,     typical, or recommended configurations. The default EKS and ECS configurations do not expose the API     endpoint to the network. Enabling a Docker authorization plugin is not supported when using ECS. Finally,     docker is not installed on EKS AMIs newer than 1.24. Although Docker is installed in EKS 1.24 and earlier,     EKS does not support authorization plugins.

    Updated docker packages addressing the issue are available for Amazon Linux 2 (docker-20.10.25-1.amzn2.0.5     and docker-25.0.6-1.amzn2.0.1) and for Amazon Linux 2023 (docker-25.0.6-1amzn2023.0.1). AWS recommends     that customers using docker upgrade to these or later versions. (CVE-2024-41110)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well. When containers with networking are     created, they are assigned unique network interfaces and IP addresses. The host serves as a router for     non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an     internal network may communicate between each other, but are precluded from communicating with any     networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set     up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately     configured host services) is possible, and the host may communicate with any container IP directly. In     addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS     request for a name that does not correspond to a container is received, the request is forwarded to the     configured upstream resolver. This request is made from the container's network namespace: the level of     access and routing of traffic is the same as if the request was made by the container itself. As a     consequence of this design, containers solely attached to an internal network will be unable to resolve     names using the upstream resolver, as the container itself is unable to communicate with that nameserver.
    Only the names of containers also attached to the internal network are able to be resolved. Many systems     run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a     consequence of the design described above is that containers are unable to resolve names from the host's     configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap,     and to allow containers to properly resolve names even when a local forwarding resolver is used on a     loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework     namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as     expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container     network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS     requests to an external nameserver. By registering a domain for which they control the authoritative     nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in     DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as     Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and     23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run     containers intended to be solely attached to internal networks with a custom upstream address, which will     force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-674 advisory.

    2024-08-28: CVE-2024-29018 was added to this advisory.

    2024-08-28: CVE-2024-24786 was added to this advisory.

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well.

    When containers with networking are created, they are assigned unique network interfaces and IP addresses.
    The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from     container IPs.

    Containers on an internal network may communicate between each other, but are precluded from communicating     with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall     rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus     appropriately configured host services) is possible, and the host may communicate with any container IP     directly.

    In addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver.

    When a DNS request for a name that does not correspond to a container is received, the request is     forwarded to the configured upstream resolver. This request is made from the container's network     namespace: the level of access and routing of traffic is the same as if the request was made by the     container itself.

    As a consequence of this design, containers solely attached to an internal network will be unable to     resolve names using the upstream resolver, as the container itself is unable to communicate with that     nameserver. Only the names of containers also attached to the internal network are able to be resolved.

    Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback     devices, a consequence of the design described above is that containers are unable to resolve names from     the host's configured resolver, as they cannot reach these addresses on the host loopback device. To     bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver     is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the     host namework namespace. The loopback resolver then forwards the requests to its configured upstream     resolvers, as expected.

    Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network     namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to     an external nameserver. By registering a domain for which they control the authoritative nameservers, an     attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that     will eventually be answered by their nameservers.

    Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.

    Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal     networks. As a workaround, run containers intended to be solely attached to internal networks with a     custom upstream address, which will force all upstream DNS queries to be resolved from the container's     network namespace. (CVE-2024-29018)

    AWS is aware of CVE-2024-41110, an issue affecting the Moby open source project, packaged in Amazon Linux     as docker. Docker is a component of several open source container management systems.

    This issue does not affect the default configuration of docker. If an authorization plugin is enabled, a     specially-crafted API request to the docker daemon will be forwarded to the authorization plugin in a way     that could lead to unintended actions, such as privilege escalation. Enabling an authorization plugin is     an atypical configuration. The affected API endpoint is not exposed to the network in either the default,     typical, or recommended configurations. The default EKS and ECS configurations do not expose the API     endpoint to the network. Enabling a Docker authorization plugin is not supported when using ECS. Finally,     docker is not installed on EKS AMIs newer than 1.24. Although Docker is installed in EKS 1.24 and earlier,     EKS does not support authorization plugins.

    Updated docker packages addressing the issue are available for Amazon Linux 2 (docker-20.10.25-1.amzn2.0.5     and docker-25.0.6-1.amzn2.0.1) and for Amazon Linux 2023 (docker-25.0.6-1amzn2023.0.1). AWS recommends     that customers using docker upgrade to these or later versions. (CVE-2024-41110)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of docker installed on the remote host is prior to 25.0.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2024-040 advisory.

    2024-08-27: CVE-2024-29018 was added to this advisory.

    2024-08-27: CVE-2024-24786 was added to this advisory.

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well.

    When containers with networking are created, they are assigned unique network interfaces and IP addresses.
    The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from     container IPs.

    Containers on an internal network may communicate between each other, but are precluded from communicating     with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall     rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus     appropriately configured host services) is possible, and the host may communicate with any container IP     directly.

    In addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver.

    When a DNS request for a name that does not correspond to a container is received, the request is     forwarded to the configured upstream resolver. This request is made from the container's network     namespace: the level of access and routing of traffic is the same as if the request was made by the     container itself.

    As a consequence of this design, containers solely attached to an internal network will be unable to     resolve names using the upstream resolver, as the container itself is unable to communicate with that     nameserver. Only the names of containers also attached to the internal network are able to be resolved.

    Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback     devices, a consequence of the design described above is that containers are unable to resolve names from     the host's configured resolver, as they cannot reach these addresses on the host loopback device. To     bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver     is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the     host namework namespace. The loopback resolver then forwards the requests to its configured upstream     resolvers, as expected.

    Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network     namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to     an external nameserver. By registering a domain for which they control the authoritative nameservers, an     attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that     will eventually be answered by their nameservers.

    Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.

    Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal     networks. As a workaround, run containers intended to be solely attached to internal networks with a     custom upstream address, which will force all upstream DNS queries to be resolved from the container's     network namespace. (CVE-2024-29018)

    AWS is aware of CVE-2024-41110, an issue affecting the Moby open source project, packaged in Amazon Linux     as docker. Docker is a component of several open source container management systems.

    This issue does not affect the default configuration of docker. If an authorization plugin is enabled, a     specially-crafted API request to the docker daemon will be forwarded to the authorization plugin in a way     that could lead to unintended actions, such as privilege escalation. Enabling an authorization plugin is     an atypical configuration. The affected API endpoint is not exposed to the network in either the default,     typical, or recommended configurations. The default EKS and ECS configurations do not expose the API     endpoint to the network. Enabling a Docker authorization plugin is not supported when using ECS. Finally,     docker is not installed on EKS AMIs newer than 1.24. Although Docker is installed in EKS 1.24 and earlier,     EKS does not support authorization plugins.

    Updated docker packages addressing the issue are available for Amazon Linux 2 (docker-20.10.25-1.amzn2.0.5     and docker-25.0.6-1.amzn2.0.1) and for Amazon Linux 2023 (docker-25.0.6-1amzn2023.0.1). AWS recommends     that customers using docker upgrade to these or later versions. (CVE-2024-41110)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of docker installed on the remote host is prior to 25.0.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2024-041 advisory.

    2024-08-27: CVE-2024-29018 was added to this advisory.

    2024-08-27: CVE-2024-24786 was added to this advisory.

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well.

    When containers with networking are created, they are assigned unique network interfaces and IP addresses.
    The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from     container IPs.

    Containers on an internal network may communicate between each other, but are precluded from communicating     with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall     rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus     appropriately configured host services) is possible, and the host may communicate with any container IP     directly.

    In addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver.

    When a DNS request for a name that does not correspond to a container is received, the request is     forwarded to the configured upstream resolver. This request is made from the container's network     namespace: the level of access and routing of traffic is the same as if the request was made by the     container itself.

    As a consequence of this design, containers solely attached to an internal network will be unable to     resolve names using the upstream resolver, as the container itself is unable to communicate with that     nameserver. Only the names of containers also attached to the internal network are able to be resolved.

    Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback     devices, a consequence of the design described above is that containers are unable to resolve names from     the host's configured resolver, as they cannot reach these addresses on the host loopback device. To     bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver     is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the     host namework namespace. The loopback resolver then forwards the requests to its configured upstream     resolvers, as expected.

    Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network     namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to     an external nameserver. By registering a domain for which they control the authoritative nameservers, an     attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that     will eventually be answered by their nameservers.

    Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.

    Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal     networks. As a workaround, run containers intended to be solely attached to internal networks with a     custom upstream address, which will force all upstream DNS queries to be resolved from the container's     network namespace. (CVE-2024-29018)

    AWS is aware of CVE-2024-41110, an issue affecting the Moby open source project, packaged in Amazon Linux     as docker. Docker is a component of several open source container management systems.

    This issue does not affect the default configuration of docker. If an authorization plugin is enabled, a     specially-crafted API request to the docker daemon will be forwarded to the authorization plugin in a way     that could lead to unintended actions, such as privilege escalation. Enabling an authorization plugin is     an atypical configuration. The affected API endpoint is not exposed to the network in either the default,     typical, or recommended configurations. The default EKS and ECS configurations do not expose the API     endpoint to the network. Enabling a Docker authorization plugin is not supported when using ECS. Finally,     docker is not installed on EKS AMIs newer than 1.24. Although Docker is installed in EKS 1.24 and earlier,     EKS does not support authorization plugins.

    Updated docker packages addressing the issue are available for Amazon Linux 2 (docker-20.10.25-1.amzn2.0.5     and docker-25.0.6-1.amzn2.0.1) and for Amazon Linux 2023 (docker-25.0.6-1amzn2023.0.1). AWS recommends     that customers using docker upgrade to these or later versions. (CVE-2024-41110)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker,     Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component     (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*. Swarm Mode, which is     compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a     simple, built-in container orchestrator that is implemented through a combination of SwarmKit and     supporting network code. The overlay network driver is a core feature of Swarm Mode, providing isolated     virtual LANs that allow communication between containers and services across the cluster. This driver is     an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag     the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the     overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful     when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by     encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in     Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional     properties of source authentication through cryptographic proof, data integrity through check-summing, and     confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby     installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These     rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a     VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without     interfering with other overlay networks or other users of VXLAN. Two iptables rules serve to filter     incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted     datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been     previously set by the system administrator. Administrator-set rules take precedence over the rules Moby     sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should     have been discarded. The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A     sophisticated attacker may be able to establish a UDP or TCP connection by way of the containers     outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations     beyond simple injection by smuggling packets into the overlay network. Patches are available in Moby     releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently,     users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by     default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet     injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm     cluster.(CVE-2023-28840)

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker,     Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component     (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is     compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a     simple, built-in container orchestrator that is implemented through a combination of SwarmKit and     supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated     virtual LANs that allow communication between containers and services across the cluster. This driver is     an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag     the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating     overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted     mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
    Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec     Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted     overlay networks gain the additional properties of source authentication through cryptographic proof, data     integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an     encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both     incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32`     kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced     on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An     iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay     network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit     unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as     expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for     an attacker sitting in a trusted position on the network to read all of the application traffic that is     moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because     many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may     use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is     no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container     Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some     workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the     Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet,     and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm     cluster.(CVE-2023-28841)

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker,     Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component     (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is     compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a     simple, built-in container orchestrator that is implemented through a combination of SwarmKit and     supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated     virtual LANs that allow communication between containers and services across the cluster. This driver is     an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag     the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating     overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted     mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
    Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec     Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted     overlay networks gain the additional properties of source authentication through cryptographic proof, data     integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an     encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both     incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32`     kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced     on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. The     `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each     node as containers are attached and detached. Routes and encryption parameters are only defined for     destination nodes that participate in the network. The iptables rules that prevent encrypted overlay     networks from accepting unencrypted packets are not created until a peer is available with which to     communicate. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the     VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into     the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be     quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration. Patches are available     in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered     differently, users of that platform should update to 20.10.16. Some workarounds are available. In multi-     node clusters, deploy a global pause container for each encrypted overlay network, on every node.
    For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same     connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented     using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode     (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay     networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by     IPSec.(CVE-2023-28842)

    Moby is an open-source project created by Docker to enable software containerization. The classic builder     cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some     instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with     the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially     crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are     only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are     using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API     endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the     uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. Moby's networking implementation allows for many     networks, each with their own IP address range and gateway, to be defined. This feature is frequently     referred to as custom networks, as each network can have a different driver, set of parameters and thus     behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_.
    The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and     other API clients may specify the `internal` parameter as well. When containers with networking are     created, they are assigned unique network interfaces and IP addresses. The host serves as a router for     non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an     internal network may communicate between each other, but are precluded from communicating with any     networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set     up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately     configured host services) is possible, and the host may communicate with any container IP directly. In     addition to configuring the Linux kernel's various networking features to enable container networking,     `dockerd` directly provides some services to container networks. Principal among these is serving as a     resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS     request for a name that does not correspond to a container is received, the request is forwarded to the     configured upstream resolver. This request is made from the container's network namespace: the level of     access and routing of traffic is the same as if the request was made by the container itself. As a     consequence of this design, containers solely attached to an internal network will be unable to resolve     names using the upstream resolver, as the container itself is unable to communicate with that nameserver.
    Only the names of containers also attached to the internal network are able to be resolved. Many systems     run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a     consequence of the design described above is that containers are unable to resolve names from the host's     configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap,     and to allow containers to properly resolve names even when a local forwarding resolver is used on a     loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework     namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as     expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container     network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS     requests to an external nameserver. By registering a domain for which they control the authoritative     nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in     DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as     Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and     23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run     containers intended to be solely attached to internal networks with a custom upstream address, which will     force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
207259	CBL Mariner 2.0 Security Update: moby-engine (CVE-2024-29018)	Nessus	MarinerOS Local Security Checks	medium
206935	EulerOS 2.0 SP12 : glibc (EulerOS-SA-2024-2343)	Nessus	Huawei Local Security Checks	medium
206635	Amazon Linux 2 : docker (ALASECS-2024-042)	Nessus	Amazon Linux Local Security Checks	critical
205973	EulerOS 2.0 SP12 : docker-engine (EulerOS-SA-2024-2209)	Nessus	Huawei Local Security Checks	medium
205897	EulerOS 2.0 SP12 : docker-engine (EulerOS-SA-2024-2233)	Nessus	Huawei Local Security Checks	medium
204957	Amazon Linux 2023 : docker (ALAS2023-2024-674)	Nessus	Amazon Linux Local Security Checks	critical
204943	Amazon Linux 2 : docker (ALASDOCKER-2024-040)	Nessus	Amazon Linux Local Security Checks	critical
204929	Amazon Linux 2 : docker (ALASNITRO-ENCLAVES-2024-041)	Nessus	Amazon Linux Local Security Checks	critical
202530	EulerOS 2.0 SP9 : docker-engine (EulerOS-SA-2024-1955)	Nessus	Huawei Local Security Checks	high
202502	EulerOS 2.0 SP9 : docker-engine (EulerOS-SA-2024-1928)	Nessus	Huawei Local Security Checks	high
202439	EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2024-1903)	Nessus	Huawei Local Security Checks	medium
202406	EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2024-1879)	Nessus	Huawei Local Security Checks	medium

Detections

Analytics

CVE-2024-29018

medium

Tenable Plugins

medium

medium

critical

medium

medium

critical

critical

critical

high

high

medium

medium