CVE-2022-29179
📋 TL;DR
This CVE allows an attacker who has already escaped a container running as root to escalate privileges to Kubernetes cluster admin using Cilium's service account. It affects Cilium installations prior to patched versions. The vulnerability requires initial container compromise but then enables full cluster takeover.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Kubernetes cluster with admin privileges, allowing data exfiltration, resource hijacking, and lateral movement across all workloads.
Likely Case
Privilege escalation from container escape to cluster admin, enabling persistence, credential theft, and deployment of malicious workloads.
If Mitigated
Limited to container escape impact only, preventing cluster-wide escalation if proper RBAC and service account restrictions are in place.
🎯 Exploit Status
Exploitation requires two steps: 1) Container escape from a root container, 2) Abuse of Cilium's service account permissions. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.16, 1.10.11, or 1.11.5
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g
Restart Required: Yes
Instructions:
1. Identify Cilium version. 2. Upgrade to 1.9.16, 1.10.11, or 1.11.5 depending on your current major version. 3. Restart Cilium pods. 4. Verify upgrade completed successfully.
🧯 If You Can't Patch
- Restrict Cilium service account permissions using Kubernetes RBAC to minimum required
- Implement strict container security policies to prevent container escapes (no root containers, read-only filesystems, seccomp profiles)
🔍 How to Verify
Check if Vulnerable:
Check Cilium version: kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'cilium:[^ ]*'Verify Fix Applied:
Confirm version is 1.9.16+, 1.10.11+, or 1.11.5+ using same command and verify Cilium pods are running📡 Detection & Monitoring
Log Indicators:
- Unusual service account token usage by Cilium pods
- Unexpected privilege escalation attempts from containers
- Kubernetes API server logs showing abnormal cluster-admin requests
Network Indicators:
- Unexpected outbound connections from Cilium pods to Kubernetes API
- Anomalous network traffic patterns from compromised containers
SIEM Query:
source="kubernetes" ("cilium" AND ("serviceaccount" OR "privilege" OR "escalation")) OR ("container_escape" AND "root")🔗 References
- https://github.com/cilium/cilium/releases/tag/v1.10.11
- https://github.com/cilium/cilium/releases/tag/v1.11.5
- https://github.com/cilium/cilium/releases/tag/v1.9.16
- https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g
- https://github.com/cilium/cilium/releases/tag/v1.10.11
- https://github.com/cilium/cilium/releases/tag/v1.11.5
- https://github.com/cilium/cilium/releases/tag/v1.9.16
- https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g
