CVE-2024-28250 - Vulnerability Details - OpenCVE

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cilium	Cilium

Configuration 1 [-]

OR	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::

No data.

References

Link	Providers
https://github.com/cilium/cilium/releases/tag/v1.13.13
https://github.com/cilium/cilium/releases/tag/v1.14.8
https://github.com/cilium/cilium/releases/tag/v1.15.2
https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6

History

Thu, 09 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cilium Cilium cilium
Weaknesses		CWE-319
CPEs		cpe:2.3:a:cilium:cilium::::::::
Vendors & Products		Cilium Cilium cilium

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-18T21:42:21.689Z

Updated: 2024-08-02T00:48:49.605Z

Reserved: 2024-03-07T14:33:30.036Z

Link: CVE-2024-28250

Vulnrichment

Updated: 2024-05-23T19:01:18.634Z

NVD

Status : Analyzed

Published: 2024-03-18T22:15:08.750

Modified: 2025-01-09T16:47:40.047

Link: CVE-2024-28250

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-07T14:33:30.036Z", "datePublished": "2024-03-18T21:42:21.689Z", "dateUpdated": "2024-08-02T00:48:49.605Z"}, "containers": {"cna": {"title": "Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"version": ">= 1.14.0, < 1.14.8", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:42:21.689Z"}, "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}], "source": {"advisory": "GHSA-v6q2-4qr3-5cw6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T14:36:42.524251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:15.198Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.605Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-07T14:33:30.036Z", "datePublished": "2024-03-18T21:42:21.689Z", "dateUpdated": "2024-06-04T18:03:15.198Z"}, "containers": {"cna": {"title": "Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"version": ">= 1.14.0, < 1.14.8", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:42:21.689Z"}, "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}], "source": {"advisory": "GHSA-v6q2-4qr3-5cw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T14:36:42.524251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:18.634Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "matchCriteriaId": "50C01BB2-3804-450F-846D-DE7A23112DF6", "versionEndExcluding": "1.14.8", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "matchCriteriaId": "9938037D-85A4-4964-B593-33015AEFC8DB", "versionEndExcluding": "1.15.2", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}, {"lang": "es", "value": "Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. A partir de la versi\u00f3n 1.14.0 y anteriores a las versiones 1.14.8 y 1.15.2, en los cl\u00fasteres de Cilium con WireGuard habilitado y el tr\u00e1fico que coincide con las pol\u00edticas de Capa 7, el tr\u00e1fico elegible para Wireguard que se env\u00eda entre el proxy Envoy de un nodo y los pods de otros nodos se env\u00eda sin cifrar. y el tr\u00e1fico elegible para Wireguard que se env\u00eda entre el proxy DNS de un nodo y los pods de otros nodos se env\u00eda sin cifrar. Este problema se resolvi\u00f3 en Cilium 1.14.8 y 1.15.2 en modo de enrutamiento nativo (`routingMode=native`) y en Cilium 1.14.4 en modo de t\u00fanel (`routingMode=tunnel`). No es que en modo t\u00fanel, `encryption.wireguard.encapsulate` deba establecerse en `true`. No se conoce ning\u00fan workaround para este problema."}], "id": "CVE-2024-28250", "lastModified": "2025-01-09T16:47:40.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-18T22:15:08.750", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}