===================================================================== CERT-Renater Note d'Information No. 2023/VULN352 _____________________________________________________________________ DATE : 27/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cilium versions prior to 1.14.2, 1.13.7, 1.12.14. ===================================================================== https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp _____________________________________________________________________ Bypass of namespace restrictions in CiliumNetworkPolicy Moderate ferozsalam published GHSA-4xp2-w642-7mcx Package Cilium Affected versions <=1.14.1 <=1.13.6 <=1.12.13 Patched versions 1.14.2 1.13.7 1.12.14 Description Impact An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted endpointSelector that uses the DoesNotExist operator on the reserved:init label, the attacker can create policies that bypass namespace restrictions and affect the entire Cilium cluster. This includes potentially allowing or denying all traffic. This attack requires API server access, as described in the Kubernetes API Server Attacker section of the Cilium Threat Model. Patches This issue was patched in #28007 This issue affects: Cilium <= v1.14.1 Cilium <= v1.13.6 Cilium <= v1.12.13 This issue has been resolved in: Cilium v1.14.2 Cilium v1.13.7 Cilium v1.12.14 Workarounds An admission webhook can be used to prevent the use of endpointSelectors that use the DoesNotExist operator on the reserved:init label in CiliumNetworkPolicies. Acknowledgements The Cilium community has worked together with members of Palantir and Isovalent to prepare these mitigations. Special thanks to @odinuge for reporting this issue and @joestringer for the fix. For more information If you have any questions or comments about this advisory, please reach out on Slack. If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at security@cilium.io first, before disclosing it in any public forum. This is a private mailing list for Cilium's internal security team, and your report will be treated as top priority. Severity Moderate 6.9/ 10 CVSS base metrics Attack vector Adjacent Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality Low Integrity None Availability High CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H CVE ID CVE-2023-41333 Weaknesses No CWEs Credits @odinuge odinuge Reporter _____________________________________________________________________ Kubernetes users may update Pod labels to bypass network policy Moderate ferozsalam published GHSA-gj2r-phwg-6rww Package Cilium Affected versions <=1.13.6 <=1.14.1 <=1.12.13 Patched versions 1.13.7 1.14.2 1.12.14 Description Impact An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels to select the policies which apply to the workload in question. This can affect: Cilium network policies that use the namespace, service account or cluster constructs to restrict traffic Cilium clusterwide network policies that use Cilium namespace labels to select the Pod Kubernetes network policies Non-existent construct names can be provided, which bypass all network policies applicable to the construct. For example, providing a pod with a non-existent namespace as the value of the io.kubernetes.pod.namespace label results in none of the namespaced CiliumNetworkPolicies applying to the pod in question. This attack requires the attacker to have Kubernetes API Server access, as described in the Cilium Threat Model. Patches This issue affects: Cilium <= v1.14.1 Cilium <= v1.13.6 Cilium <= v1.12.13 This issue has been resolved in: Cilium v1.14.2 Cilium v1.13.7 Cilium v1.12.14 Workarounds An admission webhook can be used to prevent pod label updates to the k8s:io.kubernetes.pod.namespace and io.cilium.k8s.policy.* keys. Acknowledgements The Cilium community has worked together with members of Palantir and Isovalent to prepare these mitigations. Special thanks to @odinuge for reporting this issue and to @nebril for the fix. For more information If you have any questions or comments about this advisory, please reach out on Slack. If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list – security@cilium.io – first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority. Severity Moderate 5.4/ 10 CVSS base metrics Attack vector Adjacent Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality Low Integrity None Availability Low CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L CVE ID CVE-2023-39347 Weaknesses No CWEs Credits @odinuge odinuge Reporter @nebril nebril Remediation developer _____________________________________________________________________ DoS via Kubernetes annotations in specific Cilium configurations Low ferozsalam published GHSA-24m5-r6hv-ccgp Package Cilium Affected versions <=1.14.1 <=1.12.13 <=1.13.6 Patched versions 1.14.2 1.12.14 1.13.7 Description Impact In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with policy.cilium.io/proxy-visibility annotations (in Cilium >= v1.13) io.cilium.proxy-visibility annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to process changes to workloads running on the node. This will also prevent workloads from being able to start on the affected node. The denial of service will be limited to the node on which the workload is scheduled, however an attacker may be able to schedule workloads on the node of their choosing, which could lead to targeted attacks. Patches Pull request with fix This issue affects: Cilium <= v1.14.1 Cilium <= v1.13.6 Cilium <= v1.12.13 This issue has been resolved in: Cilium v1.14.2 Cilium v1.13.7 Cilium v1.12.14 Workarounds Users can avoid this denial of service attack by enabling the Layer 7 proxy. Acknowledgements The Cilium community has worked together with members of Acorn Labs and Isovalent to prepare these mitigations. Special thanks to @g-linville for bringing this issue to the attention of the Cilium Security team and to @sayboras for the fix. For more information If you have any questions or comments about this advisory, please reach out on Slack. As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority. Severity Low 3.5/ 10 CVSS base metrics Attack vector Adjacent Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality None Integrity None Availability Low CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE ID CVE-2023-41332 Weaknesses No CWEs Credits @g-linville g-linville Reporter @sayboras sayboras Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================