Listen to this Post
How the CVE Works
The vulnerability occurs when Incus generates nftables rules for bridge-connected devices, bypassing MAC/IP filtering. Attackers can spoof MAC addresses to send unlimited DHCP requests, exhausting the pool and causing DoS. The rules incorrectly prioritize local service access (DHCP/DNS) over security filters, allowing unfiltered malicious traffic. DNS queries also bypass restrictions, enabling further exploitation.
DailyCVE Form
Platform: Incus
Version: v6.12-v6.13
Vulnerability: ACL Bypass
Severity: Critical
Date: 2024-XX-XX
Prediction: Patch by Q3 2024
What Undercode Say
iifname "br0" ether type ip ip saddr 0.0.0.0 udp dport 67 accept iifname "br0" ether type ip6 ip6 saddr fe80::/10 udp dport 547 accept
for i in {0..99}; do ip link set address 10:66:6a:42:$i:00 dev eth0; dhclient -4; done
How Exploit
1. Spoof MAC/IPv6 addresses.
2. Flood DHCP requests.
3. Exhaust IP pool.
4. Bypass DNS restrictions.
Protection from this CVE
1. Disable affected ACLs.
2. Manual nftables rules.
3. Await patch.
Impact
- DHCP exhaustion.
- DNS spoofing.
- Network DoS.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
