modules:
- module: github.com/cilium/cilium
versions:
- introduced: 1.13.0
fixed: 1.13.1
packages:
- package: github.com/cilium/cilium
- module: github.com/cilium/cilium
versions:
- introduced: 1.12.0
fixed: 1.12.8
packages:
- package: github.com/cilium/cilium
- module: github.com/cilium/cilium
versions:
- fixed: 1.11.15
packages:
- package: github.com/cilium/cilium
summary: cilium-agent container can access the host via `hostPath` mount
description: "### Impact\n\nAn attacker with access to a Cilium agent pod can write
to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod.
By replacing the CNI binary with their own malicious binary and waiting for the
creation of a new pod on the node, the attacker can gain access to the underlying
node. \n\n### Patches\n\nThe issue has been fixed and is available on versions
>=1.11.15, >=1.12.8, >=1.13.1.\n\n### Workarounds\n\n[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
should be used to deny users and service accounts `exec` access to Cilium agent
pods.\n\nIn cases where a user requires `exec` access to Cilium agent pods, but
should not have access to the underlying node, no workaround is possible.\n\n###
References\n\n* [PR containing resolution](https://github.com/cilium/cilium/pull/24075)\n\n###
Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent
and Form3 to prepare these mitigations. Special thanks to Anastasios Koutlis,
Daniel Teixeira, and Magdalena Oczadly for their cooperation. \n\n### For more
information\n\nIf you have any questions or comments about this advisory, please
reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs
usual, if you think you found a related vulnerability, we strongly encourage you
to report security vulnerabilities to our private security mailing list: security@cilium.io
- first, before disclosing them in any public forums. This is a private mailing
list where only members of the Cilium internal security team are subscribed to,
and is treated as top priority. "
cves:
- CVE-2023-27593
ghsas:
- GHSA-4hc4-pgfx-3mrx
references:
- advisory: https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx
- fix: https://github.com/cilium/cilium/pull/24075
- advisory: https://github.com/advisories/GHSA-4hc4-pgfx-3mrx
In GitHub Security Advisory GHSA-4hc4-pgfx-3mrx, there is a vulnerability in the following Go packages or modules:
Cross references:
See doc/triage.md for instructions on how to triage this report.