PT-2024-32836 · Cilium+1 · Cilium+1
Christarazi
·
Published
2024-10-21
·
Updated
2024-12-19
·
CVE-2024-47825
CVSS v3.1
8.7
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Cilium versions 1.14.0 through 1.14.15
Cilium versions 1.15.0 through 1.15.9
Description
A policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix (
CIDRSet or toFQDN) and this narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all. This issue affects policies using enableDefaultDeny: false or that set toEntities to all. For example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied.apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: block-scary-range
spec:
endpointSelector: {}
egressDeny:
- toCIDRSet:
- cidr: 1.0.0.0/8
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: evade-deny
spec:
endpointSelector: {}
egress:
- toCIDR:
- 1.1.1.2/32
- toEntities:
- allRecommendations
For users with policies using
enableDefaultDeny: false, remove this configuration option and explicitly define any allow rules required.
For users with egress policies that explicitly specify toEntities: all, consider using toEntities: world as a temporary workaround until a patch is available.
Update to Cilium v1.14.16 or v1.15.10 to resolve the issue.Exploit
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cilium
Suse