CVE-2023-41333: Cilium Vulnerability Allows Attackers to Affect Entire Cluster Traffic

Cilium, a popular networking, observability, and security solution built on eBPF-based dataplanes, has been affected by a vulnerability in its implementation of the CiliumNetworkPolicy (CNP) objects. This vulnerability allows an attacker with the ability to create or modify CNP objects in a specific namespace to affect traffic across an entire Cilium cluster. In some cases, this could lead to potential bypassing of policy enforcement in other namespaces or granting unauthorized access to network resources.

Technical Details of CVE-2023-41333

Attackers can exploit this vulnerability by crafting a malicious endpointSelector that employs the DoesNotExist operator on the reserved:init label. When a CNP utilizing such an endpointSelector is created, it allows policies to bypass namespace restrictions and impact traffic across the entire Cilium cluster. This can lead to situations where all traffic in the cluster is either allowed or denied, based on the attacker's intention.

Here's an example of a maliciously crafted CNP

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "malicious-cnp"
spec:
  endpointSelector:
    matchLabels:
      reserved.init: DoesNotExist
  ingress:
    - fromEndpoints:
        - matchLabels:
            attacker-controlled-label: value

Exploiting this vulnerability requires access to the Kubernetes API server, as outlined in Cilium's Threat Model under the Kubernetes API Server Attacker section.

Affected Versions

Cilium versions 1.12.x, 1.13.x, and 1.14.x are known to be affected by this vulnerability.

Remediation and Fixes

This vulnerability has been addressed in the Cilium releases 1.14.2, 1.13.7, and 1.12.14. Users are advised to upgrade their Cilium deployments to these versions or later to protect against CVE-2023-41333. The Cilium project has published release notes for these versions, detailing the changes and improvements included:

- 1.14.2 Release Notes
- 1.13.7 Release Notes
- 1.12.14 Release Notes

Workaround

In case upgrading to the patched versions is not immediately feasible, a temporary workaround can be employed by using an admission webhook. This webhook should be configured to prevent the creation or modification of CNP objects that include endpointSelectors with the DoesNotExist operator on the reserved:init label.

Please consult the Kubernetes documentation for details on implementing and configuring admission webhooks in your environment.

References

- Cilium GitHub Repository
- Cilium Threat Model
- CiliumNetworkPolicy

Timeline

Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/30/2023 02:01:00 UTC