CVE-2024-42488
Cilium agent's race condition may lead to policy bypass for Host Firewall policy
Severity Score
6.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-08-02 CVE Reserved
- 2024-08-15 CVE Published
- 2024-08-19 CVE Updated
- 2024-09-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw | X_refsource_confirm | |
| https://github.com/cilium/cilium/pull/33511 | X_refsource_misc | |
| https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cilium Search vendor "Cilium" | Cilium Search vendor "Cilium" for product "Cilium" | < 1.14.14 Search vendor "Cilium" for product "Cilium" and version " < 1.14.14" | en |
Affected
| ||||||
| Cilium Search vendor "Cilium" | Cilium Search vendor "Cilium" for product "Cilium" | >= 1.15.0 < 1.15.8 Search vendor "Cilium" for product "Cilium" and version " >= 1.15.0 < 1.15.8" | en |
Affected
| ||||||