ghsa-3wwx-63fv-pfq6
Vulnerability from github
Published
2024-10-21 19:03
Modified
2024-10-21 21:41
Severity ?
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present
Details

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

  • A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
  • This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

``` apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: block-scary-range spec: endpointSelector: {} egressDeny: - toCIDRSet: - cidr: 1.0.0.0/8

apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: evade-deny spec: endpointSelector: {} egress: - toCIDR: - 1.1.1.2/32 - toEntities: - all ```

Patches

This issue affects:

  • Cilium v1.14 between v1.14.0 and v1.14.15 inclusive
  • Cilium v1.15 between v1.15.0 and v1.15.9 inclusive

This issue has been patched in:

  • Cilium v1.14.16
  • Cilium v1.15.10

Workarounds

Users with policies using enableDefaultDeny: false can work around this issue by removing this configuration option and explicitly defining any allow rules required.

No workaround is available to users with egress policies that explicitly specify toEntities: all.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.15.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1038",
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-21T19:03:47Z",
    "nvd_published_at": "2024-10-21T19:15:03Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA policy rule denying a prefix that is broader than /32 may be ignored if there is\n\n- A policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) **and**\n- This narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`\n\nNote that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`.\n\nAs an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:\n\n```\napiVersion: cilium.io/v2\nkind: CiliumClusterwideNetworkPolicy\nmetadata:\n  name: block-scary-range\nspec:\n  endpointSelector: {}\n  egressDeny:\n  - toCIDRSet:\n    - cidr: 1.0.0.0/8\n\n---\n\napiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n  name: evade-deny\nspec:\n  endpointSelector: {}\n  egress:\n  - toCIDR:\n    - 1.1.1.2/32\n  - toEntities:\n    - all\n```\n\n### Patches\n\nThis issue affects:\n\n- Cilium v1.14 between v1.14.0 and v1.14.15 inclusive\n- Cilium v1.15 between v1.15.0 and v1.15.9 inclusive\n\nThis issue has been patched in:\n\n- Cilium v1.14.16\n- Cilium v1.15.10\n\n### Workarounds\n\nUsers with policies using `enableDefaultDeny: false` can work around this issue by removing this configuration option and explicitly defining any allow rules required.\n\nNo workaround is available to users with egress policies that explicitly specify `toEntities: all`.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated with top priority.\n",
  "id": "GHSA-3wwx-63fv-pfq6",
  "modified": "2024-10-21T21:41:15Z",
  "published": "2024-10-21T19:03:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cilium/cilium"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cilium\u0027s CIDR deny policies may not take effect when a more narrow CIDR allow is present"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.