CVE-2024-28250

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28250
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/cilium/cilium/releases/tag/v1.13.13
https://github.com/cilium/cilium/releases/tag/v1.14.8
https://github.com/cilium/cilium/releases/tag/v1.15.2
https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6
Configurations

No configuration.

History

19 Mar 2024, 13:26

Type Values Removed Values Added
Summary
  • (es) Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. A partir de la versión 1.14.0 y anteriores a las versiones 1.14.8 y 1.15.2, en los clústeres de Cilium con WireGuard habilitado y el tráfico que coincide con las políticas de Capa 7, el tráfico elegible para Wireguard que se envía entre el proxy Envoy de un nodo y los pods de otros nodos se envía sin cifrar. y el tráfico elegible para Wireguard que se envía entre el proxy DNS de un nodo y los pods de otros nodos se envía sin cifrar. Este problema se resolvió en Cilium 1.14.8 y 1.15.2 en modo de enrutamiento nativo (`routingMode=native`) y en Cilium 1.14.4 en modo de túnel (`routingMode=tunnel`). No es que en modo túnel, `encryption.wireguard.encapsulate` deba establecerse en `true`. No se conoce ningún workaround para este problema.

18 Mar 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-18 22:15

Updated : 2024-03-19 13:26

NVD link : CVE-2024-28250

Mitre link : CVE-2024-28250

CVE.ORG link : CVE-2024-28250

JSON object : View

Products Affected

No product.

CWE
CWE-311

Missing Encryption of Sensitive Data