Listen to this Post
The vulnerability (CVE-2024-42459) exists in Cilium’s debugging tool cilium-bugtool. When Cilium is deployed with WireGuard Transparent Encryption for node-to-node communication, the WireGuard private key is stored in a file named `cilium_wg0.key` on each node. The `cilium-bugtool` utility, used for gathering diagnostic information, collects various system and Cilium state files. Under normal operation, this tool is invoked manually or via `cilium sysdump` command to create debug archives. However, the tool includes the WireGuard private key file in its output archive without any redaction or access control mechanism. An attacker or any user with access to the generated bugtool or sysdump archive can extract the private key. With the WireGuard private key, an attacker can decrypt node-to-node encrypted traffic, impersonate a legitimate node, or potentially inject malicious traffic into the encrypted overlay network. The issue affects Cilium versions v1.19.0 to v1.19.2, v1.18.0 to v1.18.8, and all versions prior to v1.17.15. The vulnerability is fixed in v1.19.3, v1.18.9, and v1.17.15. There is no workaround other than key rotation. The exposure occurs only when the tool is run; the tool does not execute during normal cluster operation. The key is stored in plaintext on the filesystem (typically /var/lib/cilium/cilium_wg0.key) and is world-readable by default, but the bugtool explicitly copies it into the archive. This leads to sensitive data leakage if archives are shared.
dailycve form:
Platform: Cilium
Version: 1.19.0-1.19.2, 1.18.0-1.18.8, <1.17.15
Vulnerability: WireGuard key leak
Severity: Medium
date: 2024-06-10
Prediction: 2024-06-20 (patched)
Analytics under What Undercode Say:
Check if WireGuard is enabled and key exists
cilium status | grep WireGuard
ls -la /var/lib/cilium/cilium_wg0.key
Simulate bugtool archive creation and inspect contents
cilium-bugtool --archive
tar -xzf cilium-bugtool-.tar.gz
find ./ -name "cilium_wg0.key" -exec cat {} \;
For sysdump command (Cilium CLI)
cilium sysdump --output-filename cilium-sysdump
unzip cilium-sysdump.zip
grep -r "private_key" cilium-sysdump/ | head -5
Rotate WireGuard key as workaround (after exposure)
rm /var/lib/cilium/cilium_wg0.key
systemctl restart cilium-agent
Verify new key generation
ls -la /var/lib/cilium/cilium_wg0.key
Exploit:
An attacker who obtains a bugtool or sysdump archive from a vulnerable Cilium node can extract the WireGuard private key by locating the `cilium_wg0.key` file inside the archive (e.g., ./cilium-bugtool-<timestamp>/run/var/lib/cilium/cilium_wg0.key). With this key, the attacker can decrypt all node-to-node WireGuard traffic, forge packets, or establish unauthorized connections as if they were a trusted node. No authentication is required beyond access to the archive.
Protection from this CVE:
- Upgrade Cilium to patched versions: v1.19.3, v1.18.9, v1.17.15 or later.
- If upgrade is not immediately possible, avoid running `cilium-bugtool` or `cilium sysdump` on WireGuard-enabled nodes.
- Restrict access to any existing bugtool/sysdump archives to only trusted personnel.
- Rotate WireGuard keys on all affected nodes by deleting the key file and restarting the Cilium agent (as shown above).
- Monitor file access logs for `/var/lib/cilium/cilium_wg0.key` and any bugtool output directories.
Impact:
Exposure of the WireGuard private key compromises the confidentiality and integrity of all node-to-node encrypted traffic in the Cilium cluster. An attacker can decrypt sensitive pod-to-pod communication, perform man-in-the-middle attacks between nodes, and potentially escalate to full cluster compromise. The vulnerability does not require any privileges beyond read access to the bugtool archive. Organizations sharing sysdump archives for debugging (e.g., with support teams) are at high risk. No active exploitation in the wild has been confirmed as of the advisory date, but the leaked key can be used offline. The impact is confined to clusters where WireGuard Transparent Encryption is enabled.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

