CVE-2024-28250 Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies

2024-03-1821:42:21

CWE-311

GitHub_M

github.com

cilium

vulnerability

unencrypted traffic

wireguard

l7 policies

ebpf

dataplane

version 1.14.0

version 1.14.8

version 1.15.2

native routing mode

tunneling mode

CVSS3

6.1

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node’s Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node’s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (routingMode=native) and in Cilium 1.14.4 in tunneling mode (routingMode=tunnel). Not that in tunneling mode, encryption.wireguard.encapsulate must be set to true. There is no known workaround for this issue.