Cilium Node-Based Network Policy Traffic Mismanagement Vulnerability

A vulnerability in Cilium's node-based network policies allows unintended traffic to and from non-node endpoints that share the specified labels in the policy. This issue arises when the 'fromNodes' and 'toNodes' fields are used with labels that are also applied to other endpoints, not just nodes. The vulnerability is present in Cilium versions 1.16.0 through 1.16.7 and 1.17.0 through 1.17.1. Node-based network policy is disabled by default in Cilium.

Impact

Exploitation of this vulnerability can lead to improper traffic management, allowing unintended communication between workloads and endpoints.

Reproduction

To reproduce this vulnerability, create a CiliumNetworkPolicy that uses the 'fromNodes' or 'toNodes' fields with labels shared by non-node endpoints. This can be done by specifying labels that are not exclusive to nodes, such as those used by workloads or services. Once the policy is applied, observe the traffic to and from the endpoints, which will incorrectly allow or block communication based on the shared labels.

Remediation

Users can upgrade to Cilium versions 1.16.8 or 1.17.2, where this issue has been fixed. Alternatively, ensure that the labels used in 'fromNodes' and 'toNodes' fields are exclusive to nodes and not shared with other endpoints.