CVE-2023-39347
📋 TL;DR
This CVE allows attackers with Kubernetes API access to bypass Cilium network policies by updating pod labels with non-existent construct names. It affects Cilium users who rely on network policies for security segmentation. The vulnerability enables policy bypass in multi-tenant Kubernetes environments.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Complete network policy bypass allowing lateral movement between namespaces, service account privilege escalation, and cluster-wide policy evasion.
Likely Case
Targeted policy bypass allowing unauthorized access to specific services or resources within the cluster.
If Mitigated
Limited impact with proper RBAC controls restricting pod label updates and admission webhooks in place.
🎯 Exploit Status
Exploitation requires Kubernetes API credentials with pod update permissions. The attack is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cilium 1.14.2, 1.13.7, or 1.12.14
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww
Restart Required: Yes
Instructions:
1. Backup current Cilium configuration. 2. Upgrade Cilium to patched version using Helm: 'helm upgrade cilium cilium/cilium --version 1.14.2'. 3. Restart Cilium pods: 'kubectl rollout restart daemonset/cilium -n kube-system'. 4. Verify all pods are running: 'kubectl get pods -n kube-system'.
🔧 Temporary Workarounds
Admission Webhook Restriction
allDeploy an admission webhook to prevent updates to critical pod labels that could bypass policies.
kubectl apply -f admission-webhook.yaml
🧯 If You Can't Patch
- Implement strict RBAC controls to limit pod label update permissions to trusted users only.
- Deploy network policy validation tools to detect policy bypass attempts and alert on suspicious label changes.
🔍 How to Verify
Check if Vulnerable:
Check Cilium version: 'cilium version' or 'kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath="{.items[0].spec.containers[0].image}"'. If version is below 1.14.2, 1.13.7, or 1.12.14, you are vulnerable.Check Version:
cilium version | grep -o 'v[0-9.]*'Verify Fix Applied:
After upgrade, test by creating a pod with malicious namespace label and verifying network policies still apply correctly.📡 Detection & Monitoring
Log Indicators:
- Kubernetes audit logs showing pod label updates to 'io.kubernetes.pod.namespace' or 'io.cilium.k8s.policy.*' keys
- Cilium logs showing policy evaluation failures or unexpected policy bypasses
Network Indicators:
- Unexpected network connections between namespaces that should be isolated
- Traffic flows that violate documented network policies
SIEM Query:
source="kubernetes-audit" AND verb="update" AND objectRef.resource="pods" AND requestObject.metadata.labels.io.kubernetes.pod.namespace!=""🔗 References
- https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker
- https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww
- https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker
- https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww
