Slack Nebula IP Spoofing Vulnerability in CIDR Handling

A vulnerability in Slack Nebula versions prior to 1.9.7 allows for IP spoofing within the Nebula network. This issue arises from improper handling of CIDR in certain configurations, which enables nodes to send packets using arbitrary source IP addresses. The vulnerability is present when a node's certificate includes multiple IPs or a subnet, and the outbound firewall is disabled, bypassing normal IP validation.

Impact

Exploitation of this vulnerability allows a compromised node to impersonate another node by sending packets with spoofed source IP addresses. This could disrupt network traffic or interfere with services by, for example, sending false TCP reset packets or arbitrary UDP packets to targeted services.

Reproduction

To reproduce this vulnerability, create a Nebula network with a rogue node that has a certificate allowing multiple IP addresses or a subnet. Compile a version of Nebula with the outbound firewall disabled, and deploy this on the rogue node. Once active, the node can send packets using any IP address within the Nebula network, bypassing firewall restrictions that would normally block such spoofed traffic.

Remediation

Users can update to Slack Nebula version 1.9.7 or later, where this vulnerability has been addressed.