CVE-2023-27593

cilium-agent container can access the host via `hostPath` mount

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-04 CVE Reserved
2023-03-17 CVE Published
2024-06-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-276: Incorrect Default Permissions

CAPEC

References (6)

URL	Tag	Source
https://github.com/cilium/cilium/pull/24075	Third Party Advisory
https://github.com/cilium/cilium/releases/tag/v1.11.15	Third Party Advisory
https://github.com/cilium/cilium/releases/tag/v1.12.8	Third Party Advisory
https://github.com/cilium/cilium/releases/tag/v1.13.1	Third Party Advisory
https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx	Third Party Advisory
https://kubernetes.io/docs/reference/access-authn-authz/rbac	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cilium Search vendor "Cilium"		Cilium Search vendor "Cilium" for product "Cilium"				< 1.11.15 Search vendor "Cilium" for product "Cilium" and version " < 1.11.15"		-		Affected
Cilium Search vendor "Cilium"		Cilium Search vendor "Cilium" for product "Cilium"				>= 1.12.0 < 1.12.8 Search vendor "Cilium" for product "Cilium" and version " >= 1.12.0 < 1.12.8"		-		Affected
Cilium Search vendor "Cilium"		Cilium Search vendor "Cilium" for product "Cilium"				>= 1.13.0 < 1.13.1 Search vendor "Cilium" for product "Cilium" and version " >= 1.13.0 < 1.13.1"		-		Affected