Cilium Denial-of-Service Vulnerability via Crafted DNS Responses

A denial-of-service vulnerability has been identified in Cilium, a networking and security solution for Kubernetes, affecting versions 1.14.0 prior to 1.14.18, 1.15.0 prior to 1.15.12, and 1.16.0 prior to 1.16.5. The vulnerability arises when Cilium is configured to proxy DNS traffic. In this scenario, an attacker can disrupt Cilium agents by sending manipulated DNS responses to workloads from outside the cluster. This disruption can cause Cilium agents to crash, although for traffic that is allowed without DNS-based policy, the dataplane will continue to function as configured at the time of the attack. Workloads with DNS-based policy may experience disrupted connections that rely on DNS resolution, while existing connections and new ones that do not depend on DNS can continue to operate. Additionally, any configuration changes affecting the impacted agent will not be applied until the agent restarts.

Impact

Exploiting this vulnerability causes Cilium agents to crash, disrupting DNS-based traffic management and potentially leading to connection drops for workloads relying on DNS resolution.

Remediation

Users can upgrade to Cilium versions 1.14.18, 1.15.12, or 1.16.5 to address this vulnerability.