CVE-2025-23028
📋 TL;DR
A denial of service vulnerability in Cilium allows attackers to crash Cilium agents by sending crafted DNS responses to workloads from outside the cluster. This affects Kubernetes clusters running vulnerable Cilium versions with DNS proxy enabled. The vulnerability disrupts DNS resolution for new connections when DNS-based policies are configured.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of DNS resolution for workloads with DNS-based policies, preventing new connections that rely on DNS, while existing connections may continue. Configuration changes cannot be applied until agents restart.
Likely Case
Partial service disruption where new connections requiring DNS resolution fail, while existing traffic continues. This creates inconsistent application behavior and potential service degradation.
If Mitigated
If DNS proxy is disabled or clusters are not internet-facing, risk is significantly reduced as attackers cannot send crafted DNS responses.
🎯 Exploit Status
Attack requires sending crafted DNS responses from outside the cluster to workloads. No authentication needed if network access exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.14.18, v1.15.12, v1.16.5
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-9m5p-c77c-f9j7
Restart Required: Yes
Instructions:
1. Identify affected Cilium versions. 2. Upgrade to patched versions: v1.14.18, v1.15.12, or v1.16.5. 3. Restart Cilium agents after upgrade. 4. Verify agents are running and DNS functionality is restored.
🔧 Temporary Workarounds
Disable DNS Proxy
linuxDisable Cilium's DNS proxy feature if not required, preventing exploitation.
kubectl edit configmap cilium-config -n kube-system
Set 'enableDNSProxy: false'
🧯 If You Can't Patch
- Implement network policies to restrict DNS traffic to trusted sources only
- Monitor Cilium agent health and restart crashed agents automatically
🔍 How to Verify
Check if Vulnerable:
Check Cilium version and DNS proxy configuration: kubectl get configmap cilium-config -n kube-system -o yaml | grep -E 'version|enableDNSProxy'Check Version:
kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'cilium:[^ ]*'Verify Fix Applied:
Verify Cilium version is patched: kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[*].spec.containers[*].image}'📡 Detection & Monitoring
Log Indicators:
- Cilium agent crashes or restarts
- DNS resolution failures in application logs
- Cilium agent panic logs
Network Indicators:
- Unexpected DNS responses from external sources to cluster workloads
- DNS query timeouts
SIEM Query:
source="cilium" AND ("panic" OR "crash" OR "restart")