CVE-2024-33522: 
Linux Photon vulnerability analysis and mitigation

In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue was discovered in August 2023 and publicly disclosed in April 2024. The vulnerability stems from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute arbitrary binaries with elevated privileges (Tigera Security Bulletin).

The vulnerability exists in the Calico install binary located in cni-plugn/pkg/install/install.go and cnii-plugin/cmd/calico.go. The binary creates the /host/opt/cni/bin directories if they do not exist and sets itself to run as a SUID binary. The exploitation involves manipulating environment variables (TLSASSESTSDIR and UPDATECNIBINARIES) and controlling directory creation, which can lead to executing a malicious binary with root privileges. The vulnerability has been assigned a CVSS v3.1 score of 6.7 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Tigera Security Bulletin).

If successfully exploited, an attacker with local access to the Kubernetes nodes can execute arbitrary binaries with elevated privileges, potentially gaining full root access to the system. This could lead to complete compromise of the affected node and potential access to sensitive information (Tigera Security Bulletin).

The vulnerability has been fixed in the following versions: Calico OSS v3.28.0 and above, v3.27.3, and v3.26.5; Calico Enterprise v3.19.0-2.0 and above, v3.18.2, and v3.17.4; Calico Cloud v19.3.0 and above. As a temporary mitigation, organizations should review access control and monitoring for Kubernetes nodes and increase restrictions to the nodes (Tigera Security Bulletin).