Cilium WireGuard Traffic Bypass Vulnerability Allowing Incorrect Pod Communication

A vulnerability in Cilium versions 1.18.0 through 1.18.5 allows for improper traffic management between Pods on different nodes. When Native Routing, WireGuard, and Node Encryption are activated, host firewall policies may not be enforced correctly, leading to unauthorized traffic flow. This issue has been addressed in Cilium version 1.18.6.

Impact

The vulnerability can cause host firewall policies to be bypassed, allowing unauthorized traffic between Pods on different nodes, which could lead to potential security policy violations.

Reproduction

The vulnerability can be reproduced by enabling Native Routing, WireGuard, and Node Encryption in Cilium versions 1.18.0 to 1.18.5. With these settings, traffic from Pods on other nodes may be incorrectly allowed, bypassing host firewall policies.

Remediation

To address this vulnerability, Cilium users should update to version 1.18.6. Additionally, in environments where an immediate update is not possible, it is recommended to route all ingress traffic from the 'cilium_wg0' interface to 'cilium_host' for policy enforcement. This can be done by adding specific IP rules and routes for both IPv4 and IPv6 traffic.