Share
## https://sploitus.com/exploit?id=PACKETSTORM:216060
=============================================================================================================================================
| # Title : Cilium 1.18.0โ1.18.5 eBPF Datapath Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://cilium.io/ |
=============================================================================================================================================
[+] Summary : This Python script performs a comprehensive node-level analysis to assess the Cilium 1.18.0โ1.18.5 vulnerability
that allows cross-node Pod traffic to bypass Host Firewall policies when Native Routing, WireGuard, and Node Encryption are enabled.
[+] POC :
#!/usr/bin/env python3
import subprocess
import re
import os
CILIUM_REPO = "/tmp/cilium_repo"
VERSION_A = "v1.18.5"
VERSION_B = "v1.18.6"
def run(cmd):
try:
return subprocess.check_output(cmd, shell=True).decode()
except:
return ""
def section(title):
print("\n" + "="*60)
print(title)
print("="*60)
def check_version():
section("CILIUM VERSION")
out = run("cilium version")
print(out)
match = re.search(r"v(\d+\.\d+\.\d+)", out)
return match.group(1) if match else "Unknown"
def check_config():
section("CILIUM CONFIG")
print(run("cilium config"))
def check_wireguard():
section("WIREGUARD STATUS")
print(run("cilium status | grep -i wireguard"))
def check_bpf_attach_points():
section("BPF ATTACH POINTS")
print(run("bpftool net attach show"))
def check_bpf_programs():
section("LOADED BPF PROGRAMS")
print(run("bpftool prog show | grep cilium"))
def check_bpf_maps():
section("BPF MAPS")
print(run("bpftool map show | grep cilium"))
def dump_policy_map():
section("POLICY MAP DUMP")
print(run("bpftool map dump name cilium_policy 2>/dev/null"))
def clone_repo():
section("CLONING CILIUM SOURCE")
if not os.path.exists(CILIUM_REPO):
run(f"git clone https://github.com/cilium/cilium.git {CILIUM_REPO}")
def diff_datapath():
section("DIFF DATAPATH BETWEEN 1.18.5 AND 1.18.6")
os.chdir(CILIUM_REPO)
run(f"git checkout {VERSION_A}")
run("cp -r bpf /tmp/bpf_a")
run(f"git checkout {VERSION_B}")
run("cp -r bpf /tmp/bpf_b")
diff = run("diff -ru /tmp/bpf_a /tmp/bpf_b | grep -E 'bpf_host|bpf_wireguard|policy|nodeport'")
print(diff if diff else "No relevant datapath diff found.")
def analyze_root_cause(version):
section("ROOT CAUSE ANALYSIS")
if version.startswith("1.18.") and version <= "1.18.5":
print("Version within vulnerable range.")
print("""
Likely Root Cause:
- WireGuard decrypt path reinjects packet
- Host firewall hook not triggered
- Identity context not revalidated
- Policy map lookup skipped or misordered
""")
else:
print("Version likely patched (>= 1.18.6).")
print("""
Patch likely:
- Reordered host firewall hook
- Ensured policy lookup after decrypt
- Fixed identity propagation
""")
def main():
version = check_version()
check_config()
check_wireguard()
check_bpf_attach_points()
check_bpf_programs()
check_bpf_maps()
dump_policy_map()
clone_repo()
diff_datapath()
analyze_root_cause(version)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================