CVE-2023-28114
📋 TL;DR
CVE-2023-28114 is a vulnerability in cilium-cli versions before 0.13.2 that removes user permission enforcement on etcd stores when configuring cluster mesh functionality. This allows attackers with valid etcd credentials to modify cluster state. Only users who configured cluster meshes using cilium-cli (not Helm charts) are affected.
💻 Affected Systems
- cilium-cli
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised etcd credentials could modify cluster mesh configuration, disrupt inter-cluster communication, or potentially escalate privileges across connected clusters.
Likely Case
Unauthorized modification of etcd data in compromised cluster meshes, potentially affecting service discovery and network policies between clusters.
If Mitigated
With proper network segmentation and credential management, impact is limited to the compromised etcd instance without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires: 1) Using vulnerable cilium-cli for cluster mesh setup, 2) Valid etcd key/certificate access, 3) Knowledge of the misconfigured mount point issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.2
Vendor Advisory: https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc
Restart Required: Yes
Instructions:
1. Update cilium-cli to version 0.13.2 or later using your package manager. 2. Reconfigure any cluster meshes created with vulnerable versions. 3. Restart Cilium components to apply the fix.
🔧 Temporary Workarounds
Use Helm Charts Instead
allConfigure cluster meshes using Cilium Helm charts instead of cilium-cli, as Helm-based configurations are not vulnerable.
helm install cilium cilium/cilium --version <version> --namespace kube-system --set clusterMesh.enabled=true
🧯 If You Can't Patch
- Migrate cluster mesh configurations from cilium-cli to Helm charts immediately
- Implement strict access controls and monitoring for etcd clusters used in cluster meshes
🔍 How to Verify
Check if Vulnerable:
Check if cluster meshes were configured using cilium-cli version <0.13.2 and verify etcd permission settings in affected clusters.Check Version:
cilium version --clientVerify Fix Applied:
Confirm cilium-cli version is 0.13.2+ and verify etcd user permissions are properly enforced in cluster mesh configurations.📡 Detection & Monitoring
Log Indicators:
- Unauthorized etcd access attempts
- Unexpected modifications to cluster mesh configuration in etcd
Network Indicators:
- Unusual etcd traffic patterns from unauthorized sources
SIEM Query:
source="etcd" AND (event_type="auth_failure" OR operation="PUT" OR operation="DELETE") AND resource="cluster-mesh"🔗 References
- https://artifacthub.io/packages/helm/cilium/cilium
- https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610
- https://github.com/cilium/cilium-cli/releases/tag/v0.13.2
- https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc
- https://artifacthub.io/packages/helm/cilium/cilium
- https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610
- https://github.com/cilium/cilium-cli/releases/tag/v0.13.2
- https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc
