A recent security vulnerability identified in Cilium raises substantial concerns. For those unfamiliar with Cilium, it is an eBPF-based software-defined infrastructure that provides advanced networking, observability, and security. However, the discovery of CVE-2023-39347 puts Cilium's network security aspects in question.

Core Issue in Cilium

The heart of the problem lies in how Cilium applies network policies in response to pod updates. Instead of using the system-generated pod labels, Cilium mistakenly uses user-provided pod labels to select policies that apply to a specific workload. Consequently, this oversight allows malicious users to apply incorrect network policies and bypass security.

Kubernetes network policies

To better understand the problem, consider an attacker providing a non-existent namespace as the value of the io.kubernetes.pod.namespace label. Since this namespace does not exist, none of the namespaced CiliumNetworkPolicies apply to the targeted pod, effectively bypassing any related security policies.

For the attacker to succeed with this exploit, they require access to the Kubernetes API Server, which is an aspect outlined in the Cilium Threat Model.

Here is a sample code snippet demonstrating the exploit

apiVersion: v1
kind: Pod
metadata:
  name: vulnerable-pod
  labels:
    io.kubernetes.pod.namespace: non-existent-namespace
spec:
  containers:
  - name: test-container
    image: nginx

In this example, a pod manifest with a non-existent namespace as the

io.kubernetes.pod.namespace

value is created. This manipulation causes Cilium to fail to apply the correct namespaced CiliumNetworkPolicies to the pod.

Workarounds and Solutions

Fortunately, this issue has been addressed in Cilium versions 1.14.2, 1.13.7, and 1.12.14. Therefore, users are strongly advised to upgrade to any of those versions.

However, if upgrading is not feasible immediately, a temporary workaround exists in the form of an admission webhook. By using such a webhook, users can prevent pod label updates to the k8s:io.kubernetes.pod.namespace and io.cilium.k8s.policy.* keys. This measure ensures that attackers cannot manipulate the labels to bypass network policies.

In light of this security vulnerability (CVE-2023-39347), our recommendations include

1. Review your current Cilium version and update to version 1.14.2, 1.13.7, or 1.12.14 as soon as possible.
2. Implement an admission webhook to prevent pod label updates, providing an additional layer of protection against malicious attempts.
3. Regularly monitor your environment for signs of security breaches and promptly address any issues that may arise.

Cilium is a powerful networking, observability, and security solution; however, the discovery of vulnerabilities such as CVE-2023-39347 highlights the ever-evolving risks in IT environments. To stay ahead of threats, constant vigilance and timely adaptation are crucial.

For more information on CVE-2023-39347 and official recommendations, refer to the Cilium Security Announcement. Stay safe!

Timeline

Published on: 09/27/2023 15:18:00 UTC
Last modified on: 09/29/2023 15:54:00 UTC