CVE-2023-41378
📋 TL;DR
This vulnerability allows an attacker to cause a denial of service in Calico Typha by initiating a malicious TLS handshake that blocks the server's main loop indefinitely. Affected systems include Calico Typha v3.26.2, v3.25.1 and below, and Calico Enterprise Typha v3.17.1, v3.16.3, v3.15.3 and below.
💻 Affected Systems
- Calico Typha
- Calico Enterprise Typha
📦 What is this software?
Calico Os by Tigera
Calico Os by Tigera
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all Typha connections, disrupting Calico networking and potentially affecting Kubernetes cluster operations.
Likely Case
Service degradation or intermittent outages affecting network policy enforcement and connectivity in Kubernetes clusters.
If Mitigated
Limited impact with proper network segmentation and monitoring, though service disruption is still possible.
🎯 Exploit Status
Exploitation requires network access to Typha's TLS port but no authentication. The attack is simple to execute once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Calico Typha v3.26.3, v3.25.2, v3.24.5; Calico Enterprise Typha v3.17.2, v3.16.4, v3.15.4
Vendor Advisory: https://www.tigera.io/security-bulletins-tta-2023-001/
Restart Required: Yes
Instructions:
1. Update Calico/Calico Enterprise to patched versions. 2. Restart Typha pods. 3. Verify Typha is running with updated version.
🔧 Temporary Workarounds
Network segmentation
linuxRestrict network access to Typha service to trusted sources only.
Use Kubernetes NetworkPolicy to restrict access to Typha pods
Configure firewall rules to limit Typha port access
Load balancing mitigation
linuxDeploy multiple Typha instances behind a load balancer to reduce single point of failure impact.
Scale Typha deployment to multiple replicas
Configure load balancer with health checks
🧯 If You Can't Patch
- Implement strict network policies to limit access to Typha service
- Monitor Typha service health and implement automated restart on failure
🔍 How to Verify
Check if Vulnerable:
Check Typha version: kubectl get pods -n kube-system -l k8s-app=calico-typha -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n kube-system -l k8s-app=calico-typha -o jsonpath='{.items[*].spec.containers[*].image}' | grep -E 'v3\.(26\.[3-9]|25\.[2-9]|24\.[5-9]|17\.[2-9]|16\.[4-9]|15\.[4-9])'Verify Fix Applied:
Verify Typha pods are running patched version and check for stable connections without handshake blocking.📡 Detection & Monitoring
Log Indicators:
- Typha logs showing TLS handshake timeouts
- Increased connection errors in Typha logs
- Typha process hanging or unresponsive
Network Indicators:
- Unusual TLS handshake patterns to Typha port
- Multiple incomplete TLS connections from single source
SIEM Query:
source="typha" AND ("TLS handshake" OR "handshake timeout" OR "connection blocked")🔗 References
- https://github.com/projectcalico/calico/pull/7908
- https://github.com/projectcalico/calico/pull/7993
- https://www.tigera.io/security-bulletins-tta-2023-001/
- https://github.com/projectcalico/calico/pull/7908
- https://github.com/projectcalico/calico/pull/7993
- https://www.tigera.io/security-bulletins-tta-2023-001/
