CVE-2020-11091: In Weave Net before version 2.6.3, an attacker able to run a process as root in a container is able to respond to DNS requests from the host and there...

Description

In Weave Net before version 2.6.3, an attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it's pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them. By sending rogue router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance you also have on the host a vulnerability like last year's RCE in apt (CVE-2019-3462), you can now escalate to the host. Weave Net version 2.6.3 disables the accept_ra option on the veth devices that it creates.

Metrics

CVSS 3.1

5.8/10

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

EPSS Probability

0.86%

53.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-350

Affected Software

Vendor	Product	Versions
Weave	Weave Net	< 2.6.3

References

https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60Patch, Third Party Advisory
https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73Third Party Advisory
https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60Patch, Third Party Advisory
https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73Third Party Advisory

Timeline

Published: Jun 3, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-11091?

In Weave Net before version 2.6.3, an attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service. In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it's pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them. By sending rogue router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance you also have on the host a vulnerability like last year's RCE in apt (CVE-2019-3462), you can now escalate to the host. Weave Net version 2.6.3 disables the accept_ra option on the veth devices that it creates.

How severe is CVE-2020-11091?

CVE-2020-11091 has a CVSS score of 5.8/10 (MEDIUM severity). The EPSS model estimates a 0.86% probability of exploitation in the next 30 days.

How do I fix CVE-2020-11091?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.