CVE-2023-28114

`cilium-cli` disables etcd authorization for clustermesh clusters

Severity Score

4.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium's Helm charts to create their cluster.

*Credits: N/A

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-10 CVE Reserved
2023-03-22 CVE Published
2023-03-23 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-280: Improper Handling of Insufficient Permissions or Privileges
CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (4)

URL	Tag	Source
https://artifacthub.io/packages/helm/cilium/cilium	Product
https://github.com/cilium/cilium-cli/releases/tag/v0.13.2	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610	2023-11-07

URL	Date	SRC
https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cilium Search vendor "Cilium"		Cilium-cli Search vendor "Cilium" for product "Cilium-cli"				< 0.13.2 Search vendor "Cilium" for product "Cilium-cli" and version " < 0.13.2"		-		Affected