CVE-2024-33522

Name of the Vulnerable Software and Affected Versions Calico versions 3.27.2 and below Calico Enterprise versions 3.19.0-1, 3.18.1, 3.17.3 and below Calico Cloud versions 19.2.0 and below github.com/projectcalico/calico/v3 before v3.26.5, from v3.27.0 before v3.27.3

Description The issue arises from an incorrect SUID (Set User ID) bit configuration in the Calico CNI install binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges. An attacker who has local access to the Kubernetes node can escalate their privileges by exploiting this vulnerability.

Recommendations For Calico versions 3.27.2 and below, consider disabling the Calico CNI install binary until a patch is available. For Calico Enterprise versions 3.19.0-1, 3.18.1, 3.17.3 and below, restrict access to the Calico CNI install binary to minimize the risk of exploitation. For Calico Cloud versions 19.2.0 and below, avoid using the Calico CNI install binary until the issue is resolved. For github.com/projectcalico/calico/v3 before v3.26.5, from v3.27.0 before v3.27.3, update to a version that includes the fix for this issue.