PT-2024-22366 · Cilium · Cilium

Giorio94

Published

2024-03-18

Updated

2025-01-09

CVE-2024-28250

CVSS v3.1

6.1

Medium

Vector

AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cilium versions 1.14.0 through 1.14.7 Cilium versions 1.15.0 through 1.15.1 Cilium version 1.14.4 with encryption.wireguard.encapsulate set to false in tunneling mode

Description In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies, WireGuard-eligible traffic sent between a node's Envoy proxy and pods on other nodes is sent unencrypted, and WireGuard-eligible traffic sent between a node's DNS proxy and pods on other nodes is sent unencrypted.

Recommendations For Cilium versions 1.14.0 through 1.14.7, update to version 1.14.8 or later in native routing mode. For Cilium versions 1.15.0 through 1.15.1, update to version 1.15.2 or later in native routing mode. For Cilium version 1.14.4 in tunneling mode, set encryption.wireguard.encapsulate to true to resolve the issue. There is no known workaround for this issue.

Exploit

Fix

Cleartext Transmission of Sensitive Information

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-311

Related Identifiers

BIT-CILIUM-2024-28250

BIT-CILIUM-OPERATOR-2024-28250

BIT-CILIUM-PROXY-2024-28250

BIT-HUBBLE-2024-28250

BIT-HUBBLE-RELAY-2024-28250

BIT-HUBBLE-UI-2024-28250

BIT-HUBBLE-UI-BACKEND-2024-28250

CVE-2024-28250

GHSA-V6Q2-4QR3-5CW6

GO-2024-2657

Affected Products

Cilium

PT-2024-22366 · Cilium · Cilium

CVE-2024-28250

Weakness Enumeration

Related Identifiers

Affected Products

References · 19