CVE-2024-28250

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/cilium/cilium/releases/tag/v1.13.13	Release Notes
https://github.com/cilium/cilium/releases/tag/v1.14.8	Release Notes
https://github.com/cilium/cilium/releases/tag/v1.15.2	Release Notes
https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6	Vendor Advisory
https://github.com/cilium/cilium/releases/tag/v1.13.13	Release Notes
https://github.com/cilium/cilium/releases/tag/v1.14.8	Release Notes
https://github.com/cilium/cilium/releases/tag/v1.15.2	Release Notes
https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::

History

09 Jan 2025, 16:47

Type	Values Removed	Values Added
References	~~() https://github.com/cilium/cilium/releases/tag/v1.13.13 -~~	() https://github.com/cilium/cilium/releases/tag/v1.13.13 - Release Notes
References	~~() https://github.com/cilium/cilium/releases/tag/v1.14.8 -~~	() https://github.com/cilium/cilium/releases/tag/v1.14.8 - Release Notes
References	~~() https://github.com/cilium/cilium/releases/tag/v1.15.2 -~~	() https://github.com/cilium/cilium/releases/tag/v1.15.2 - Release Notes
References	~~() https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 -~~	() https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 - Vendor Advisory
First Time		Cilium Cilium cilium
CWE		CWE-319
CPE		cpe:2.3:a:cilium:cilium::::::::

21 Nov 2024, 09:06

Type	Values Removed	Values Added
References	~~() https://github.com/cilium/cilium/releases/tag/v1.13.13 -~~	() https://github.com/cilium/cilium/releases/tag/v1.13.13 -
References	~~() https://github.com/cilium/cilium/releases/tag/v1.14.8 -~~	() https://github.com/cilium/cilium/releases/tag/v1.14.8 -
References	~~() https://github.com/cilium/cilium/releases/tag/v1.15.2 -~~	() https://github.com/cilium/cilium/releases/tag/v1.15.2 -
References	~~() https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 -~~	() https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 -

19 Mar 2024, 13:26

Type	Values Removed	Values Added
Summary		(es) Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. A partir de la versión 1.14.0 y anteriores a las versiones 1.14.8 y 1.15.2, en los clústeres de Cilium con WireGuard habilitado y el tráfico que coincide con las políticas de Capa 7, el tráfico elegible para Wireguard que se envía entre el proxy Envoy de un nodo y los pods de otros nodos se envía sin cifrar. y el tráfico elegible para Wireguard que se envía entre el proxy DNS de un nodo y los pods de otros nodos se envía sin cifrar. Este problema se resolvió en Cilium 1.14.8 y 1.15.2 en modo de enrutamiento nativo (`routingMode=native`) y en Cilium 1.14.4 en modo de túnel (`routingMode=tunnel`). No es que en modo túnel, `encryption.wireguard.encapsulate` deba establecerse en `true`. No se conoce ningún workaround para este problema.

18 Mar 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-18 22:15

Updated : 2025-01-09 16:47

NVD link : CVE-2024-28250

Mitre link : CVE-2024-28250

CVE.ORG link : CVE-2024-28250

JSON object : View

Products Affected

cilium

cilium

CWE

CWE-311

Missing Encryption of Sensitive Data

CWE-319

Cleartext Transmission of Sensitive Information

6.1 /10