Описание
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
Impact
Host Policies will incorrectly permit traffic from Pods on other nodes when all of the following configurations are enabled:
These options are disabled by default in Cilium.
Patches
This issue was fixed by #42892.
This issue affects:
- Cilium v1.18 between v1.18.0 and v1.18.5 inclusive
This issue is fixed in:
- Cilium v1.18.6
Workarounds
There is currently no officially verified or comprehensive workaround for this issue. The following procedure has been validated strictly within a local 'Kind' environment and has not undergone exhaustive testing across diverse production architectures. Proceed with caution.
To mitigate the identified traffic bypass, ensure all ingress traffic from the cilium_wg0 interface is explicitly routed to cilium_host for policy enforcement. This ensures that host-level security policies are applied to decrypted WireGuard traffic. Execute the following configuration on each CiliumNode:
Acknowledgements
Special thanks to @julianwiedmann for reporting the issue and helping with the resolution.
For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.
Ссылки
Пакеты
github.com/cilium/cilium
>= 1.18.0, < 1.18.5
1.18.6
Связанные уязвимости
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6.
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6.
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6.
Cilium is a networking, observability, and security solution with an e ...