CVE-2024-47825: Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present
A policy rule denying a prefix that is broader than /32 may be ignored if there is
- A policy rule referencing a more narrow prefix (
CIDRSetortoFQDN) and - This narrower policy rule specifies either
enableDefaultDeny: falseor- toEntities: all
Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.
As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: block-scary-range
spec:
endpointSelector: {}
egressDeny:
- toCIDRSet:
- cidr: 1.0.0.0/8
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: evade-deny
spec:
endpointSelector: {}
egress:
- toCIDR:
- 1.1.1.2/32
- toEntities:
- all
References
- github.com/advisories/GHSA-3wwx-63fv-pfq6
- github.com/cilium/cilium
- github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45
- github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524
- github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6
- nvd.nist.gov/vuln/detail/CVE-2024-47825
Code Behaviors & Features
Detect and mitigate CVE-2024-47825 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →