Listen to this Post
How the CVE Works
The vulnerability occurs when Incus generates `nftables` rules for devices connected to a bridge. Rules accepting ct state established,related, ARP, and IPv6 Neighbor Discovery packets are placed at the top of the bridge input chain, bypassing MAC, IPv4, and IPv6 filtering rules. This allows an attacker to spoof ARP and Neighbor Advertisement packets, redirecting traffic intended for another VM/container to their own machine. The host’s ARP table is poisoned, and the attacker can fully impersonate the victim.
DailyCVE Form
Platform: Incus
Version: v6.12, v6.13
Vulnerability: ACL Bypass
Severity: Critical
Date: 2024-XX-XX
Prediction: Patch by Q3 2024
What Undercode Say
Check nftables rules nft list ruleset Monitor ARP changes ip neigh monitor Test ARP spoofing arping -I eth0 <target_IP>
Exploit
1. Attacker changes VM IP to victim’s IP.
2. Floods host with ARP replies.
3. Host updates ARP table, redirecting victim’s traffic.
Protection from this CVE
- Disable affected ACLs.
- Manually enforce MAC/IP filtering.
- Apply vendor patch when available.
Impact
- ARP spoofing.
- Full VM impersonation.
- Network traffic hijacking.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
