CVE-2024-28248
📋 TL;DR
CVE-2024-28248 is a security vulnerability in Cilium's HTTP policy enforcement where HTTP traffic that should be blocked according to configured policies is intermittently allowed through. This affects Cilium deployments running versions 1.13.9 through 1.13.12, 1.14.0 through 1.14.7, and 1.15.0 through 1.15.1.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass HTTP security policies to access restricted services, exfiltrate data, or launch attacks against internal systems that should be protected by Cilium's HTTP policies.
Likely Case
Intermittent policy bypass allowing unauthorized HTTP traffic to reach services that should be blocked, potentially leading to data exposure or unauthorized access.
If Mitigated
With proper network segmentation and defense-in-depth controls, the impact would be limited to potential policy bypass within the affected Cilium-managed network segment.
🎯 Exploit Status
The intermittent nature means exploitation success may vary, but no special tools or techniques are required beyond normal HTTP traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.13, 1.14.8, or 1.15.2
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85
Restart Required: Yes
Instructions:
1. Backup current Cilium configuration. 2. Upgrade Cilium to version 1.13.13, 1.14.8, or 1.15.2 using your deployment method (Helm, kubectl, etc.). 3. Verify the upgrade completed successfully. 4. Test HTTP policies to ensure they are consistently enforced.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this issue.
🧯 If You Can't Patch
- Implement additional network controls (firewalls, WAFs) to enforce HTTP policies at different layers
- Increase monitoring and alerting for unexpected HTTP traffic that should be blocked by Cilium policies
🔍 How to Verify
Check if Vulnerable:
Check Cilium version: kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'cilium:[^,]*'Check Version:
kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}'Verify Fix Applied:
After patching, test HTTP policies by sending traffic that should be blocked and verifying consistent blocking across multiple attempts.📡 Detection & Monitoring
Log Indicators:
- Cilium logs showing HTTP traffic being allowed when policies indicate it should be blocked
- Unexpected HTTP traffic in application logs
Network Indicators:
- HTTP traffic reaching services that should be blocked by Cilium policies
- Inconsistent policy enforcement observed in network flows
SIEM Query:
source="cilium" AND ("HTTP" AND "allowed" AND "policy") OR (unexpected HTTP traffic patterns)🔗 References
- https://docs.cilium.io/en/stable/security/policy/language/#http
- https://github.com/cilium/cilium/releases/tag/v1.13.13
- https://github.com/cilium/cilium/releases/tag/v1.14.8
- https://github.com/cilium/cilium/releases/tag/v1.15.2
- https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85
- https://docs.cilium.io/en/stable/security/policy/language/#http
- https://github.com/cilium/cilium/releases/tag/v1.13.13
- https://github.com/cilium/cilium/releases/tag/v1.14.8
- https://github.com/cilium/cilium/releases/tag/v1.15.2
- https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85
