Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-27593 #1647

Closed
GoVulnBot opened this issue Mar 17, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-27593 #1647

GoVulnBot opened this issue Mar 17, 2023 · 1 comment
Assignees
@neild
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-27593 references github.com/cilium/cilium, which may be a Go module.

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to /opt/cni/bin due to a hostPath mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts exec access to Cilium agent pods. In cases where a user requires exec access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    packages:
      - package: cilium
description: |
    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.
cves:
  - CVE-2023-27593
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx
  - fix: https://github.com/cilium/cilium/pull/24075
  - web: https://github.com/cilium/cilium/releases/tag/v1.11.15
  - web: https://github.com/cilium/cilium/releases/tag/v1.12.8
  - web: https://github.com/cilium/cilium/releases/tag/v1.13.1
  - web: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
@neild neild self-assigned this Mar 21, 2023
@neild neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Mar 21, 2023
@jba jba added duplicate and removed excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. labels Mar 21, 2023
@jba
Copy link
Contributor

jba commented Mar 21, 2023

Duplicate of #1642

@jba jba marked this as a duplicate of #1642 Mar 21, 2023
@tatianab tatianab closed this as completed Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @jba @GoVulnBot