Cilium Egress Policy Misconfiguration Vulnerability Allowing Unintended Outbound Traffic

A vulnerability exists in Cilium's handling of egress network policies that reference AWS security group IDs. In Cilium versions prior to 1.16.17, 1.17.10, and 1.18.4, policies using 'egress.toGroups.aws.securityGroupsIds' to reference non-existent or unattached security group IDs may inadvertently allow broader outbound access than intended. This occurs because the 'toCIDRset' section of the derived policy is not generated, leading to unrestricted outbound traffic. The issue has been patched in Cilium versions 1.16.17, 1.17.10, and 1.18.4.

Impact

Exploitation of this vulnerability can result in misconfigured egress policies that allow unintended outbound traffic, potentially leading to data exfiltration or communication with unauthorized external services.

Reproduction

To reproduce this vulnerability, create a CiliumNetworkPolicy that uses 'egress.toGroups.aws.securityGroupsIds' to reference AWS security group IDs that do not exist or are not attached to any network interface. Apply this policy to a workload and observe the outbound traffic, which may be broader than intended.

Remediation

Upgrade to Cilium versions 1.16.17, 1.17.10, or 1.18.4.