CVE-2024-28250: 
Cilium vulnerability analysis and mitigation

CVE-2024-28250 affects Cilium, a networking, observability, and security solution with an eBPF-based dataplane. The vulnerability was discovered in version 1.14.0 and affects versions prior to 1.14.8 and 1.15.2. In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies, WireGuard-eligible traffic between a node's Envoy proxy and pods on other nodes, as well as between a node's DNS proxy and pods on other nodes, is sent unencrypted (Vendor Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.1 (Medium) with vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. It is categorized under CWE-319 (Cleartext Transmission of Sensitive Information) by NIST and CWE-311 (Missing Encryption of Sensitive Data) by GitHub. The issue specifically affects traffic that should be WireGuard-encrypted but is instead transmitted in cleartext between specific components (NVD, Vendor Advisory).

The vulnerability allows sensitive traffic that should be encrypted to be transmitted in cleartext between nodes. This affects two specific scenarios: traffic between a node's Envoy proxy and pods on other nodes, and traffic between a node's DNS proxy and pods on other nodes. This could potentially expose sensitive data to unauthorized parties who have access to the network traffic between nodes (Vendor Advisory).

The issue has been resolved in Cilium 1.14.8 and 1.15.2 for native routing mode (routingMode=native), and in Cilium 1.14.4 for tunneling mode (routingMode=tunnel). For tunneling mode, encryption.wireguard.encapsulate must be set to true. There are no known workarounds for this vulnerability (Vendor Advisory).

The Cilium community worked together with members of Isovalent to prepare the mitigations. Special acknowledgments were given to several contributors including @brb, @giorio94, @gandro, and @jschwinger233 for their work on triaging and remediating this issue (Vendor Advisory).