NeuVector Man-in-the-Middle and Denial-of-Service Vulnerability in Telemetry Reporting

A vulnerability in NeuVector versions 5.3.0 prior to 5.3.5 and 5.4.6 prior to 5.4.7 allows for man-in-the-middle (MITM) and denial-of-service (DoS) attacks via the telemetry reporting feature. When the 'Report anonymous cluster data' option is enabled, NeuVector transmits anonymous data to a telemetry server without proper TLS certificate verification, exposing the communication to interception or modification. Additionally, the response from the telemetry server is loaded into memory without size limitations, creating a potential DoS risk.

Impact

Exploitation of this vulnerability could lead to unauthorized interception or modification of telemetry data, and the potential for a denial-of-service condition by exhausting memory resources.

Remediation

Users can update to NeuVector versions 5.3.5 or 5.4.7 and above, where this vulnerability has been patched. If an immediate update is not possible, the 'Report anonymous cluster data' option can be disabled in the NeuVector UI under 'Settings' -> 'Configuration'.