Advisories for Golang/Github.com/Cilium/Cilium package

2024

Gateway API route matching order contradicts specification

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule). If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to …

Cilium leaks sensitive information in cilium-bugtool

The output of cilium-bugtool can contain sensitive data when the tool is run (with the –envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled. Users of the following features are affected: TLS inspection Ingress with TLS termination Gateway API with TLS termination Kafka network policies with API key filtering The sensitive data includes: The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and …

Cilium has insecure IPsec transport encryption

Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker: Chosen plaintext attacks Key recovery attacks Replay attacks These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec …

Unencrypted traffic between nodes when using IPsec and L7 policies

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress …

Missing Encryption of Sensitive Data

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.

Missing Encryption of Sensitive Data

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.

2023

Specific Cilium configurations vulnerable to DoS via Kubernetes annotations

Impact In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with policy.cilium.io/proxy-visibility annotations (in Cilium >= v1.13) io.cilium.proxy-visibility annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to process changes to workloads running on the …

Kubernetes users may update Pod labels to bypass network policy

Impact An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels to select the policies which apply to the workload in question. This can affect: Cilium network policies that use the namespace, service account or cluster constructs to restrict traffic Cilium clusterwide network policies that use …

Exposure of Sensitive Information to an Unauthorized Actor

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be …

Insertion of Sensitive Information into Log File

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the cilium-secrets namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the …

Incorrect Default Permissions

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to /opt/cni/bin due to a hostPath mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain …

Improper Handling of Exceptional Conditions

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass …

Improper Authorization

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when …

2022

Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels

If a user has Network Policies with namespace selectors selecting labels of namespaces, or (clusterwide) Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights (either directly or indirectly via higher-level APIs such as Deployment, Daemonset etc) to craft additional pod labels such that the pod is selected by another policy that exists rather than the expected policy.

Cilium host policy bypass in endpoint-routes mode with dual-stack

This vulnerability allows bypassing host policies for IPv6 traffic coming from a Cilium-managed pod and destined to the host-network namespace (e.g., to a host-network pod). Host policy enforcement on IPv4 or for traffic coming from outside the node is not affected. Cilium is only affected by this vulnerability if IPv4, IPv6, endpoint routes, and the host firewall are enabled. Note that endpoint routes are typically only enabled in GKE, EKS, …

Incorrect Default Permissions

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system …

Improper Privilege Management

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can escalate privileges to cluster admin by using Cilium's Kubernetes service account. The problem has been fixed and the patch is available …

2021