CVE-2020-13401 in Docker Engine
Summary
by MITRE
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2020-13401 represents a significant security flaw in Docker Engine versions prior to 19.03.11, specifically affecting containerized environments where the CAP_NET_RAW capability is granted to processes running within containers. This capability allows processes to perform low-level network operations including sending raw packets, which when combined with the improper handling of IPv6 router advertisements in Docker's networking implementation creates a vector for sophisticated network-level attacks. The issue stems from Docker's insufficient validation and sanitization of IPv6 router advertisement packets that can be crafted and transmitted by privileged container processes, effectively bypassing normal network security boundaries.
The technical exploitation of this vulnerability occurs when a container process possesses the CAP_NET_RAW capability and attempts to send forged IPv6 router advertisements to the host network. These advertisements contain routing information that can manipulate the routing tables of neighboring devices on the same network segment, enabling attackers to redirect traffic through malicious nodes. The flaw exists at the network layer where Docker's container networking implementation fails to properly validate the source addresses and routing information contained within these advertisements, allowing crafted packets to be accepted and processed as legitimate network updates. This behavior directly violates the principle of least privilege and network isolation that containerization environments are designed to maintain.
The operational impact of this vulnerability extends beyond simple network disruption to encompass comprehensive security compromise capabilities including man-in-the-middle attacks, traffic redirection, and information disclosure. An attacker with access to a container with CAP_NET_RAW capability can effectively assume control over the routing behavior of devices in the same network segment, potentially intercepting communications between hosts and external networks. The vulnerability enables attackers to perform reconnaissance activities by discovering network topology information, cause denial of service conditions by manipulating routing tables, and establish persistent network footholds that can be leveraged for further lateral movement within the network infrastructure. This represents a critical escalation of privileges from container level to network level access, violating fundamental security boundaries that containerization is intended to enforce.
Mitigation strategies for CVE-2020-13401 should prioritize immediate patching of Docker Engine installations to version 19.03.11 or later, which includes proper validation of IPv6 router advertisement packets and enhanced network packet filtering. Organizations should implement strict capability management policies that minimize the use of CAP_NET_RAW within container environments, particularly for untrusted workloads. Network segmentation and monitoring solutions should be deployed to detect anomalous IPv6 router advertisement traffic patterns that may indicate exploitation attempts. Additionally, implementing network access controls and firewall rules that restrict the transmission of router advertisements from containerized environments can provide defense-in-depth protection. The vulnerability aligns with CWE-250, which addresses the improper handling of privileges, and maps to ATT&CK technique T1068, involving the exploitation of legitimate credentials and capabilities to gain system access, while also relating to T1046 for network service scanning and T1566 for social engineering through network manipulation techniques.