Cilium Sensitive Data Exposure Vulnerability in cilium-bugtool Prior to 1.17.15, 1.18.9 and 1.19.3

A vulnerability exists in Cilium's cilium-bugtool debug utility, which can inadvertently include sensitive information when run on Cilium deployments with WireGuard encryption enabled. This issue is present in Cilium versions prior to 1.17.15, as well as versions 1.18.0 through 1.18.8 and 1.19.0 through 1.19.2. The sensitive data exposed includes the WireGuard private key used for encrypted communication between nodes.

Impact

The vulnerability allows the WireGuard private key to be included in the cilium-bugtool output, posing a risk of unauthorized access to encrypted communications between nodes.

Remediation

Users should update to Cilium versions 1.17.15, 1.18.9, or 1.19.3. For those who have shared bugtool or sysdump archives from WireGuard-enabled nodes, it is recommended to rotate the WireGuard keys on the affected nodes by deleting the key file, restarting the Cilium agent, and allowing it to generate a new key pair.