Miggo Logo

CVE-2022-29178: Access to Unix domain socket can lead to privileges escalation in Cilium

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.40627%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/cilium/ciliumgo>= 1.11.0, < 1.11.51.11.5
github.com/cilium/ciliumgo>= 1.10.0, < 1.10.111.10.11
github.com/cilium/ciliumgo< 1.9.161.9.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Cilium's Unix socket being accessible to group ID 1000. The patches show Dockerfile changes removing 'cilium' group creation and runtime command modifications. While no direct Go code changes are shown in provided patches, the default group change implies: 1) The main agent process ran with GID 1000 (visible in process trees) 2) Socket creation functions would appear in stack traces when handling API requests. The high-confidence main() identification comes from Docker context changes affecting runtime privileges, while the socket creation function is inferred from standard socket handling patterns in Cilium's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* *ost *il* syst*m ****ss on * no** *n* t** privil***s to run *s *roup I* **** **n **in ****ss to t** p*r no** *PI o* *ilium vi* Unix *om*in so*k*t on t** *ost w**r* *ilium is runnin*. I* * m*li*ious us*r is **l* to **in unprivil

Reasoning

T** vuln*r**ility st*mm** *rom *ilium's Unix so*k*t **in* ****ssi*l* to *roup I* ****. T** p*t***s s*ow `*o*k*r*il*` ***n**s r*movin* '*ilium' *roup *r**tion *n* runtim* *omm*n* mo*i*i**tions. W*il* no *ir**t `*o` *o** ***n**s *r* s*own in provi*** p