CVE-2024-28250 - Vulnerability Details

Link	Providers
https://github.com/cilium/cilium/releases/tag/v1.13.13
https://github.com/cilium/cilium/releases/tag/v1.14.8
https://github.com/cilium/cilium/releases/tag/v1.15.2
https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-07T14:33:30.036Z", "datePublished": "2024-03-18T21:42:21.689Z", "dateUpdated": "2024-08-02T00:48:49.605Z"}, "containers": {"cna": {"title": "Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"version": ">= 1.14.0, < 1.14.8", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:42:21.689Z"}, "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}], "source": {"advisory": "GHSA-v6q2-4qr3-5cw6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T14:36:42.524251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:15.198Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.605Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-07T14:33:30.036Z", "datePublished": "2024-03-18T21:42:21.689Z", "dateUpdated": "2024-06-04T18:03:15.198Z"}, "containers": {"cna": {"title": "Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"version": ">= 1.14.0, < 1.14.8", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:42:21.689Z"}, "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}], "source": {"advisory": "GHSA-v6q2-4qr3-5cw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T14:36:42.524251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:18.634Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."}, {"lang": "es", "value": "Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. A partir de la versi\u00f3n 1.14.0 y anteriores a las versiones 1.14.8 y 1.15.2, en los cl\u00fasteres de Cilium con WireGuard habilitado y el tr\u00e1fico que coincide con las pol\u00edticas de Capa 7, el tr\u00e1fico elegible para Wireguard que se env\u00eda entre el proxy Envoy de un nodo y los pods de otros nodos se env\u00eda sin cifrar. y el tr\u00e1fico elegible para Wireguard que se env\u00eda entre el proxy DNS de un nodo y los pods de otros nodos se env\u00eda sin cifrar. Este problema se resolvi\u00f3 en Cilium 1.14.8 y 1.15.2 en modo de enrutamiento nativo (`routingMode=native`) y en Cilium 1.14.4 en modo de t\u00fanel (`routingMode=tunnel`). No es que en modo t\u00fanel, `encryption.wireguard.encapsulate` deba establecerse en `true`. No se conoce ning\u00fan workaround para este problema."}], "id": "CVE-2024-28250", "lastModified": "2024-11-21T09:06:05.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-18T22:15:08.750", "references": [{"source": "[email protected]", "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"source": "[email protected]", "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"source": "[email protected]", "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}, {"source": "[email protected]", "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object