CVE-2023-41333

Summary

CVE-2023-41333 affects Cilium, a networking, observability, and security solution that utilizes an eBPF-based dataplane. An attacker with access to modify CiliumNetworkPolicy objects in a specific namespace can bypass policy enforcement across the entire Cilium cluster. They can achieve this by employing a crafted `endpointSelector` with the `DoesNotExist` operator on the `reserved:init` label. This vulnerability allows potential traffic allowing or denial for the entire cluster. The attacker must have API server access, as outlined in the Kubernetes API Server Attacker section of Cilium's threat model. The issue has been addressed in Cilium versions 1.14.2, 1.13.7, and 1.12.14. As a workaround, an admission webhook can be implemented to restrict the usage of `endpointSelectors` with the `DoesNotExist` operator on the `reserved:init` label in CiliumNetworkPolicies.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.