CVE-2024-47825
📋 TL;DR
Cilium versions 1.14.0 through 1.14.15 and 1.15.0 through 1.15.9 have a policy bypass vulnerability where certain CIDR-based deny rules may be ignored when conflicting with specific allow rules. This affects users who have configured policies with 'enableDefaultDeny: false' or 'toEntities: all' alongside broader prefix deny rules.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized network traffic bypasses security policies, potentially allowing data exfiltration or lateral movement within the cluster.
Likely Case
Accidental policy misconfiguration leads to unintended network access that violates security requirements.
If Mitigated
Proper network segmentation and additional security controls limit the impact of any policy bypass.
🎯 Exploit Status
Exploitation requires knowledge of specific policy configurations and ability to craft network traffic that matches the bypass conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.16, 1.15.10
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6
Restart Required: Yes
Instructions:
1. Backup current Cilium configuration. 2. Upgrade Cilium to version 1.14.16 or 1.15.10 using your deployment method (Helm, operator, etc.). 3. Restart Cilium pods to apply the patch. 4. Verify policy enforcement is working correctly.
🔧 Temporary Workarounds
Remove enableDefaultDeny: false
linuxFor policies using enableDefaultDeny: false, remove this configuration and explicitly define all required allow rules.
# Edit CiliumNetworkPolicy YAML files to remove 'enableDefaultDeny: false' and add explicit allow rules
Replace toEntities: all with toEntities: world
linuxFor egress policies that specify toEntities: all, change to toEntities: world.
# Edit CiliumNetworkPolicy YAML files to change 'toEntities: all' to 'toEntities: world'
🧯 If You Can't Patch
- Apply the workarounds described above to modify vulnerable policy configurations.
- Implement additional network security controls like host-based firewalls or network ACLs to compensate for potential policy bypass.
🔍 How to Verify
Check if Vulnerable:
Check Cilium version and review network policies for configurations using 'enableDefaultDeny: false' or 'toEntities: all' alongside broader prefix deny rules.Check Version:
kubectl exec -n kube-system cilium-xxxx -- cilium version | grep -i ciliumVerify Fix Applied:
After patching, test policy enforcement with traffic that should be denied by broader prefix rules to ensure they are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Unexpected network connections that should be blocked by CIDR deny policies
- Policy evaluation logs showing incorrect rule precedence
Network Indicators:
- Traffic flows that violate documented network policies
- Connections to/from IP ranges that should be blocked
SIEM Query:
source="cilium" ("policy bypass" OR "rule ignored" OR "unexpected connection")