CVE-2024-37307
📋 TL;DR
CVE-2024-37307 is a sensitive data exposure vulnerability in Cilium's cilium-bugtool debugging utility. When run with the --envoy-dump flag against deployments with Envoy proxy enabled, the tool can expose CA certificates, private keys, and API keys. This affects users of TLS inspection, Ingress/Gateway API with TLS termination, and Kafka network policies with API key filtering.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to TLS private keys and API keys, enabling man-in-the-middle attacks, decryption of encrypted traffic, and unauthorized access to Kafka clusters.
Likely Case
Accidental exposure of sensitive credentials through debugging output, potentially compromising TLS certificates and API keys if bugtool output is shared.
If Mitigated
Limited impact if bugtool is only run by trusted administrators and output is properly secured, though sensitive data remains exposed in the output.
🎯 Exploit Status
Exploitation requires access to run cilium-bugtool with appropriate permissions and the --envoy-dump flag. The tool is typically run manually by administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.17, 1.14.12, 1.15.6
Vendor Advisory: https://github.com/cilium/cilium/security/advisories
Restart Required: Yes
Instructions:
1. Identify Cilium version currently deployed. 2. Upgrade to patched version (1.13.17, 1.14.12, or 1.15.6). 3. Restart Cilium components. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
No workaround available
allThe vulnerability description states there is no workaround for this issue.
🧯 If You Can't Patch
- Restrict access to run cilium-bugtool to trusted administrators only
- Ensure any bugtool output containing sensitive data is immediately secured or destroyed
🔍 How to Verify
Check if Vulnerable:
Check Cilium version and verify if running between vulnerable versions (1.13.0-1.13.16, 1.14.0-1.14.11, 1.15.0-1.15.5) with Envoy proxy enabled and using affected features.Check Version:
kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
Verify Cilium version is 1.13.17, 1.14.12, or 1.15.6 or higher.📡 Detection & Monitoring
Log Indicators:
- Execution of cilium-bugtool with --envoy-dump flag
- Unauthorized access to bugtool output files
Network Indicators:
- Unexpected TLS certificate validation failures
- Unauthorized Kafka API access
SIEM Query:
process.name:"cilium-bugtool" AND cmdline:"--envoy-dump"🔗 References
- https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
- https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
- https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
- https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
- https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
- https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
- https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
- https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
- https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
- https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
- https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
- https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
- https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
- https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
