{ "schema_version": "1.4.0", "id": "GHSA-4hc4-pgfx-3mrx", "modified": "2023-03-17T21:38:36Z", "published": "2023-03-17T18:20:46Z", "aliases": [ "CVE-2023-27593" ], "summary": "cilium-agent container can access the host via `hostPath` mount", "details": "### Impact\n\nAn attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. \n\n### Patches\n\nThe issue has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1.\n\n### Workarounds\n\n[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) should be used to deny users and service accounts `exec` access to Cilium agent pods.\n\nIn cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.\n\n### References\n\n* [PR containing resolution](https://github.com/cilium/cilium/pull/24075)\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent and Form3 to prepare these mitigations. Special thanks to Anastasios Koutlis, Daniel Teixeira, and Magdalena Oczadly for their cooperation. \n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority. ", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.11.15" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.12.0" }, { "fixed": "1.12.8" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.13.0" }, { "fixed": "1.13.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27593" }, { "type": "WEB", "url": "https://github.com/cilium/cilium/pull/24075" }, { "type": "PACKAGE", "url": "https://github.com/cilium/cilium" }, { "type": "WEB", "url": "https://github.com/cilium/cilium/releases/tag/v1.11.15" }, { "type": "WEB", "url": "https://github.com/cilium/cilium/releases/tag/v1.12.8" }, { "type": "WEB", "url": "https://github.com/cilium/cilium/releases/tag/v1.13.1" }, { "type": "WEB", "url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac" } ], "database_specific": { "cwe_ids": [ "CWE-276" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-03-17T18:20:46Z", "nvd_published_at": "2023-03-17T20:15:00Z" } }