CVE-2024-28860
📋 TL;DR
CVE-2024-28860 is a cryptographic vulnerability in Cilium's IPsec transparent encryption that allows man-in-the-middle attackers to perform chosen plaintext, key recovery, and replay attacks when multiple nodes share the same encryption key. This renders IPsec encryption ineffective, potentially exposing sensitive network traffic. Users of Cilium with IPsec encryption enabled are affected.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of encrypted network traffic between Cilium nodes, allowing attackers to decrypt, modify, or inject packets, potentially leading to data theft, lateral movement, or service disruption.
Likely Case
Partial decryption of network traffic, enabling attackers to intercept sensitive data or perform replay attacks to disrupt services.
If Mitigated
Limited impact if network segmentation and monitoring are in place, but encryption assurance is lost.
🎯 Exploit Status
Requires man-in-the-middle position between Cilium nodes and knowledge of IPsec configuration. No public exploits available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.13, 1.14.9, or 1.15.3
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586
Restart Required: Yes
Instructions:
1. Identify Cilium version with 'cilium version' command. 2. Upgrade to fixed version using your deployment method (Helm, kubectl, etc.). 3. Restart Cilium pods to apply changes. 4. Verify IPsec tunnels are using unique keys.
🔧 Temporary Workarounds
Disable IPsec Encryption
linuxTemporarily disable IPsec transparent encryption until patching is possible.
kubectl edit cm cilium-config -n kube-system
Set 'encryption.enabled' to 'false'
Network Segmentation
allIsolate Cilium nodes to limit potential attack surface.
Implement network policies or firewall rules to restrict traffic between Cilium nodes
🧯 If You Can't Patch
- Implement strict network monitoring for unusual IPsec traffic patterns
- Use additional encryption layers (TLS/SSL) for sensitive application traffic
🔍 How to Verify
Check if Vulnerable:
Check Cilium version with 'cilium version' and verify if IPsec encryption is enabled in configuration.Check Version:
cilium version | grep -i ciliumVerify Fix Applied:
After upgrade, verify version is 1.13.13+, 1.14.9+, or 1.15.3+ and check that IPsec tunnels show unique keys in logs.📡 Detection & Monitoring
Log Indicators:
- ESP sequence number collisions in Cilium logs
- IPsec tunnel establishment failures
- Unusual encryption/decryption errors
Network Indicators:
- Repeated IPsec packets with same sequence numbers
- Unexpected traffic patterns between Cilium nodes
SIEM Query:
source="cilium" AND ("IPsec" OR "ESP") AND ("collision" OR "sequence" OR "key")🔗 References
- https://docs.cilium.io/en/stable/security/network/encryption-ipsec
- https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72
- https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149
- https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa
- https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586
- https://docs.cilium.io/en/stable/security/network/encryption-ipsec
- https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72
- https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149
- https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa
- https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586
