-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/siderolabs/omni | go | < 0.48.0 | 0.48.0 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability lies in the lack of destination IP address validation for packets received on the SideroLink WireGuard interface in Omni. This allows a potentially malicious workload on a connected Talos machine to send packets to arbitrary services on the Omni host or its local network.
The analysis of the provided patch commit a5efd816a239e6c9e5ea7c0d43c02c04504d7b60 reveals that the fix was implemented in the internal/pkg/siderolink/manager.go file. Specifically, the startWireguard method of the Manager struct was updated.
The key change is the addition of the InputPacketFilters parameter when calling manager.wgHandler.SetupDevice. The new filter, tun.FilterAllExceptIP(serverAddr.Addr()), explicitly restricts incoming packets to only those destined for the Omni server's own IP address on the WireGuard interface.
Therefore, the siderolink.Manager.startWireguard function is identified as the vulnerable function. It's not that the function itself is exploited at runtime, but rather that it is responsible for creating the misconfigured, vulnerable network state that allows the exploit to occur. An attacker would trigger the vulnerability by sending crafted packets over the established tunnel, but the root cause is the insecure setup performed by this function.
Ongoing coverage of React2Shell