Omni WireGuard SideroLink Potential Escape Vulnerability

A vulnerability exists in Omni's WireGuard SideroLink implementation prior to version 0.48.0, allowing for potential packet injection. The issue arises because, while the WireGuard interface on Omni verifies that the source IP of incoming packets matches the assigned IPv6 address of the Talos peer, it does not validate the destination address. This flaw could be exploited by malicious workloads running on Kubernetes, particularly those using host networking, to send arbitrary packets over the SideroLink interface. The Talos end of the connection is not a trusted environment, creating a risk of unauthorized access to services on Omni or the host machine.

Impact

Exploitation could allow a Talos machine to send packets over the SideroLink connection to any service listening on Omni, including internal APIs or services on the host machine, if Omni is using host networking. If IP forwarding is enabled, the attacker could also route packets to other machines connected to Omni or deeper into Omni's network.

Remediation

Users can upgrade to Omni version 0.48.0 or later, where this vulnerability has been fixed. Instructions for updating can be found in the Omni repository on GitHub.