Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file.

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network     interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or     `macvlan` interface will normally be configured to share an external network link with the host machine.
    Because of this direct access, (1) Containers may be able to communicate with other hosts on the local     network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local     network, containers may get SLAAC-assigned addresses, and (3) the interface  will be a member of IPv6     multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily     increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use     `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the     service configuration of a `compose` file.(CVE-2024-32473)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and     other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network     interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or     `macvlan` interface will normally be configured to share an external network link with the host machine.
    Because of this direct access, (1) Containers may be able to communicate with other hosts on the local     network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local     network, containers may get SLAAC-assigned addresses, and (3) the interface  will be a member of IPv6     multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily     increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use     `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the     service configuration of a `compose` file.(CVE-2024-32473)

    Moby is an open-source project created by Docker for software containerization. A security vulnerability     has been detected in certain versions of Docker Engine, which could allow an attacker to bypass     authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is     low.  Using a specially-crafted API request, an Engine API client could make the daemon forward the     request or response to an authorization plugin without the body. In certain circumstances, the     authorization plugin may allow a request which it would have otherwise denied if the body had been     forwarded to it.  A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins     using a specially crafted API request. This could lead to unauthorized actions, including privilege     escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not     carried forward to later major versions, resulting in a regression. Anyone who depends on authorization     plugins that introspect the request and/or response body to make access control decisions is potentially     impacted.  Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.  docker-     ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master,     19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately,     avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the     principle of least privilege.(CVE-2024-41110)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the Docker Engine installed on the remote host is 26.0.x prior to 26.0.2. It is therefore affected by an unexpected resource exposure vulnerability. In the affected versions of Moby, an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. A container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine.
Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
208382	EulerOS 2.0 SP12 : docker-engine (EulerOS-SA-2024-2524)	Nessus	Huawei Local Security Checks	medium
208326	EulerOS 2.0 SP12 : docker-engine (EulerOS-SA-2024-2500)	Nessus	Huawei Local Security Checks	medium
207200	EulerOS 2.0 SP9 : docker-engine (EulerOS-SA-2024-2385)	Nessus	Huawei Local Security Checks	critical
207155	EulerOS 2.0 SP9 : docker-engine (EulerOS-SA-2024-2360)	Nessus	Huawei Local Security Checks	critical
207148	EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2024-2434)	Nessus	Huawei Local Security Checks	critical
207143	EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2024-2411)	Nessus	Huawei Local Security Checks	critical
205254	EulerOS 2.0 SP11 : docker-engine (EulerOS-SA-2024-2097)	Nessus	Huawei Local Security Checks	medium
205251	EulerOS 2.0 SP11 : docker-engine (EulerOS-SA-2024-2080)	Nessus	Huawei Local Security Checks	medium
193911	Docker Engine 26.0.0 < 26.0.2 Unexpected Resource Exposure	Nessus	Misc.	medium

Detections

Analytics

CVE-2024-32473

medium

Tenable Plugins

medium

medium

critical

critical

critical

critical

medium

medium

medium