CVE-2024-28250
Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.
Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. A partir de la versión 1.14.0 y anteriores a las versiones 1.14.8 y 1.15.2, en los clústeres de Cilium con WireGuard habilitado y el tráfico que coincide con las políticas de Capa 7, el tráfico elegible para Wireguard que se envía entre el proxy Envoy de un nodo y los pods de otros nodos se envía sin cifrar. y el tráfico elegible para Wireguard que se envía entre el proxy DNS de un nodo y los pods de otros nodos se envía sin cifrar. Este problema se resolvió en Cilium 1.14.8 y 1.15.2 en modo de enrutamiento nativo (`routingMode=native`) y en Cilium 1.14.4 en modo de túnel (`routingMode=tunnel`). No es que en modo túnel, `encryption.wireguard.encapsulate` deba establecerse en `true`. No se conoce ningún workaround para este problema.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-07 CVE Reserved
- 2024-03-18 CVE Published
- 2024-08-02 CVE Updated
- 2025-01-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-311: Missing Encryption of Sensitive Data
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/cilium/cilium/releases/tag/v1.13.13 | X_refsource_misc | |
| https://github.com/cilium/cilium/releases/tag/v1.14.8 | X_refsource_misc | |
| https://github.com/cilium/cilium/releases/tag/v1.15.2 | X_refsource_misc | |
| https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cilium Search vendor "Cilium" | Cilium Search vendor "Cilium" for product "Cilium" | >= 1.14.0 < 1.14.8 Search vendor "Cilium" for product "Cilium" and version " >= 1.14.0 < 1.14.8" | en |
Affected
| ||||||
| Cilium Search vendor "Cilium" | Cilium Search vendor "Cilium" for product "Cilium" | >= 1.15.0 < 1.15.2 Search vendor "Cilium" for product "Cilium" and version " >= 1.15.0 < 1.15.2" | en |
Affected
| ||||||