4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27594

GHSA ID

GHSA-8fg8-jh2h-f2hc

EPSS Score

0.11752%

CWE

CWE-285

Published

3/17/2023

Updated

3/24/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27594

CVE-2023-27594: Potential network policy bypass when routing IPv6 traffic

Impact

Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. Only IPv6 traffic is impacted by this vulnerability.

This issue only manifests when:

Cilium is routing IPv6 traffic, and
Kube-proxy is used for service handling, and
NodePorts are used to route traffic to pods.

IPv6 is disabled by default. Cilium's kube-proxy replacement feature is not affected by this vulnerability.

Patches

The problem has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1

Workarounds

Disable IPv6 routing (IPv6 is disabled by default).

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Yusuke Suzuki for both highlighting and fixing the issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27594

GHSA ID

GHSA-8fg8-jh2h-f2hc

EPSS Score

0.11752%

CWE

CWE-285

Published

3/17/2023

Updated

3/24/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cilium/cilium	go	< 1.11.15	1.11.15
github.com/cilium/cilium	go	>= 1.12.0, < 1.12.8	1.12.8
github.com/cilium/cilium	go	>= 1.13.0, < 1.13.1	1.13.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect source IP attribution in IPv6 NodePort handling. The Cilium release notes for patched versions reference fixes to 'remote-node identity classification' (PR #23091) and connectivity issues in IPv6+KPR scenarios (PR #23857). These imply flaws in BPF datapath logic where external IPv6 traffic was misidentified as originating from the host. The handle_ipv6 and ipv6_send_from_netdev functions are core to IPv6 packet processing and align with the described misattribution mechanism. The 'high' confidence for handle_ipv6 stems from direct references to identity classification fixes, while ipv6_send_from_netdev is inferred from NodePort flow handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t Un**r sp**i*i* *on*itions, *ilium m*y mis*ttri*ut* t** sour** IP ***r*ss o* tr***i* to * *lust*r, i**nti*yin* *xt*rn*l tr***i* *s *omin* *rom t** *ost on w*i** *ilium is runnin*. *s * *ons*qu*n**, n*twork poli*i*s *or t**t *lust*r mi**t **

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t sour** IP *ttri*ution in IPv* No**Port **n*lin*. T** *ilium r*l**s* not*s *or p*t**** v*rsions r***r*n** *ix*s to 'r*mot*-no** i**ntity *l*ssi*i**tion' (PR #*****) *n* *onn**tivity issu*s in IPv*+KPR s**n*rios (

4.2

Basic Information

Concerned about an active attack path?

CVE-2023-27594: Potential network policy bypass when routing IPv6 traffic

Impact

Patches

Workarounds

Acknowledgements

For more information

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI