Share
## https://sploitus.com/exploit?id=PACKETSTORM:216060
=============================================================================================================================================
    | # Title     : Cilium 1.18.0โ€“1.18.5 eBPF Datapath Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://cilium.io/                                                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : This Python script performs a comprehensive node-level analysis to assess the Cilium 1.18.0โ€“1.18.5 vulnerability 
                     that allows cross-node Pod traffic to bypass Host Firewall policies when Native Routing, WireGuard, and Node Encryption are enabled.
    				 
    [+] POC   :  
    
    #!/usr/bin/env python3
    
    import subprocess
    import re
    import os
    
    CILIUM_REPO = "/tmp/cilium_repo"
    VERSION_A = "v1.18.5"
    VERSION_B = "v1.18.6"
    
    def run(cmd):
        try:
            return subprocess.check_output(cmd, shell=True).decode()
        except:
            return ""
    
    def section(title):
        print("\n" + "="*60)
        print(title)
        print("="*60)
    
    def check_version():
        section("CILIUM VERSION")
        out = run("cilium version")
        print(out)
        match = re.search(r"v(\d+\.\d+\.\d+)", out)
        return match.group(1) if match else "Unknown"
    
    def check_config():
        section("CILIUM CONFIG")
        print(run("cilium config"))
    
    def check_wireguard():
        section("WIREGUARD STATUS")
        print(run("cilium status | grep -i wireguard"))
    
    def check_bpf_attach_points():
        section("BPF ATTACH POINTS")
        print(run("bpftool net attach show"))
    
    def check_bpf_programs():
        section("LOADED BPF PROGRAMS")
        print(run("bpftool prog show | grep cilium"))
    
    def check_bpf_maps():
        section("BPF MAPS")
        print(run("bpftool map show | grep cilium"))
    
    def dump_policy_map():
        section("POLICY MAP DUMP")
        print(run("bpftool map dump name cilium_policy 2>/dev/null"))
    
    def clone_repo():
        section("CLONING CILIUM SOURCE")
        if not os.path.exists(CILIUM_REPO):
            run(f"git clone https://github.com/cilium/cilium.git {CILIUM_REPO}")
    
    def diff_datapath():
        section("DIFF DATAPATH BETWEEN 1.18.5 AND 1.18.6")
    
        os.chdir(CILIUM_REPO)
    
        run(f"git checkout {VERSION_A}")
        run("cp -r bpf /tmp/bpf_a")
    
        run(f"git checkout {VERSION_B}")
        run("cp -r bpf /tmp/bpf_b")
    
        diff = run("diff -ru /tmp/bpf_a /tmp/bpf_b | grep -E 'bpf_host|bpf_wireguard|policy|nodeport'")
    
        print(diff if diff else "No relevant datapath diff found.")
    
    def analyze_root_cause(version):
        section("ROOT CAUSE ANALYSIS")
    
        if version.startswith("1.18.") and version <= "1.18.5":
            print("Version within vulnerable range.")
            print("""
    Likely Root Cause:
    - WireGuard decrypt path reinjects packet
    - Host firewall hook not triggered
    - Identity context not revalidated
    - Policy map lookup skipped or misordered
    """)
        else:
            print("Version likely patched (>= 1.18.6).")
            print("""
    Patch likely:
    - Reordered host firewall hook
    - Ensured policy lookup after decrypt
    - Fixed identity propagation
    """)
    
    def main():
        version = check_version()
        check_config()
        check_wireguard()
        check_bpf_attach_points()
        check_bpf_programs()
        check_bpf_maps()
        dump_policy_map()
        clone_repo()
        diff_datapath()
        analyze_root_cause(version)
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================