Moby Firewalld Reload Vulnerability Allows Remote Access to Published Container Ports

A vulnerability in the Moby container framework, affecting versions 28.2.0 through 28.3.2, allows remote access to published container ports after the firewalld service is reloaded. When firewalld is reloaded, it removes all iptables rules, including those created by Docker to block external access to containers. While Docker should automatically recreate these rules, versions prior to 28.3.3 fail to restore the specific rules needed to prevent external access to containers with ports published to localhost. As a result, these containers become accessible from remote machines with network routing to the Docker bridge, despite being intended for local access only. This vulnerability impacts only explicitly published ports, leaving unpublished ports protected.

Impact

The removal of Docker's iptables rules by firewalld allows remote hosts to access published ports on container addresses within the Docker bridge network, bypassing intended access controls. This could lead to unauthorized access to services running in the affected containers.

Reproduction

To reproduce this vulnerability, first ensure that Docker is running in a Linux environment with firewalld active. Publish a port on a container to localhost, such as 127.0.0.1:8080. After the container is running, reload the firewalld service. This can be done using 'firewall-cmd --reload', 'killall -HUP firewalld', or 'systemctl reload firewalld'. Once firewalld has reloaded, the iptables rules that Docker created to block external access to the container will be removed. Verify that the container port is now accessible from a remote host with a route to the Docker bridge network.

Remediation

Users can upgrade to Moby version 28.3.3 or later, where this vulnerability is fixed. Alternatively, after reloading firewalld, the Docker daemon can be restarted, bridge networks can be recreated, or rootless mode can be used.