Unencrypted Traffic in Cilium Clusters with WireGuard
CVE-2024-28250

6.1MEDIUM

Key Information:

Vendor

Cilium

Status
Cilium
Vendor
CVE Published:
18 March 2024

What is CVE-2024-28250?

Cilium, a specialized networking and security solution utilizing an eBPF-based dataplane, contains a vulnerability that affects clusters with WireGuard enabled, specifically when handling traffic that aligns with Layer 7 policies. This vulnerability allows WireGuard-eligible traffic between a node's Envoy proxy and pods on different nodes, as well as traffic from the node's DNS proxy to pods on other nodes, to be transmitted unencrypted. This issue has been addressed in versions 1.14.8 and 1.15.2 under native routing mode, and in version 1.14.4 while in tunneling mode, provided that the configuration encryption.wireguard.encapsulate is set to true. Currently, there are no established workarounds for mitigating this vulnerability.

Affected Version(s)

cilium >= 1.14.0, < 1.14.8 < 1.14.0, 1.14.8

cilium >= 1.15.0, < 1.15.2 < 1.15.0, 1.15.2

References

https://github.com/cilium/cilium/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/cilium/cilium/releases/tag/v1.13.13
x_refsource_MISC
https://github.com/cilium/cilium/releases/tag/v1.14.8
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.