Vulnerability Details : CVE-2023-27593
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.
Products affected by CVE-2023-27593
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-27593
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-27593
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
0.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-27593
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-27593
-
https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx
cilium-agent container can access the host via `hostPath` mount · Advisory · cilium/cilium · GitHubThird Party Advisory
-
https://github.com/cilium/cilium/releases/tag/v1.12.8
Release 1.12.8 · cilium/cilium · GitHubThird Party Advisory
-
https://github.com/cilium/cilium/releases/tag/v1.11.15
Release 1.11.15 · cilium/cilium · GitHubThird Party Advisory
-
https://github.com/cilium/cilium/releases/tag/v1.13.1
Release 1.13.1 · cilium/cilium · GitHubThird Party Advisory
-
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Using RBAC Authorization | KubernetesThird Party Advisory
-
https://github.com/cilium/cilium/pull/24075
agent: install CNI plugin binary in an InitContainer by squeed · Pull Request #24075 · cilium/cilium · GitHubThird Party Advisory
Jump to