الوصف الكامل

A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges.

نوع الثغرة

CWE-1386 — CWE-1386

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway  results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway  leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-74 — Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-74 — Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnClientCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enabled can lead to os command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A security vulnerability has been detected in Tenda F456 1.0.0.5. This impacts the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. Such manipulation of the argument delno leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A weakness has been identified in Tenda F456 1.0.0.5. This vulnerability affects the function fromPptpUserAdd of the file /goform/PPTPDClient of the component httpd. Executing a manipulation of the argument opttype/usernamewith can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

# Summary When `openvpn-auth-oauth2` is deployed in the **experimental plugin mode** (shared library loaded by OpenVPN via the `plugin` directive), clients that do not support WebAuth/SSO (e.g., the `openvpn` CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. **The default management-interface mode is not affected** because it does not use the OpenVPN plugin return-code mechanism. # Impact **Authentication bypass — any VPN client that does not advertise WebAuth/SSO support (`IV_SSO=webauth`) is granted full network access without completing OIDC authentication.** This affects only deployments running the **experimental plugin mode** in versions 1.26.3 through 1.27.2. The default and recommended deployment via the management interface is **not affected**. An unauthenticated attacker can connect to the OpenVPN server using any standard OpenVPN client that does not support webauth (e.g., the Linux `openvpn` CLI). The plugin correctly issues a `client-deny` command via the management interface, but returns `OPENVPN_PLUGIN_FUNC_SUCCESS` (status=0) to OpenVPN. Because the `auth_control_file` content is only consulted when the plugin returns `FUNC_DEFERRED`, OpenVPN interprets status=0 as "authentication passed" and admits the client — granting full access to the internal network behind the VPN. ## Root Cause In `lib/openvpn-auth-oauth2/openvpn/handle.go`, the `ClientAuthDeny` branch of `handleAuthUserPassVerify` wrote `"0"` (deny) to the `auth_control_file` but returned `OPENVPN_PLUGIN_FUNC_SUCCESS`. OpenVPN only reads the `auth_control_file` when the plugin returns `FUNC_DEFERRED`; a synchronous `FUNC_SUCCESS` return is treated as immediate approval regardless of file contents. **Before fix:** ```go case management.ClientAuthDeny: // ... writes "0" to auth_control_file ... if err := openVPNClient.WriteToAuthFile("0"); err != nil { // only returned ERROR on write failure return c.OpenVPNPluginFuncError } return c.OpenVPNPluginFuncSuccess // ← BUG: OpenVPN sees this as "auth passed" ``` **After fix (commit [`36f69a6`](https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2)):** ```go case management.ClientAuthDeny: // ... writes "0" to auth_control_file ... if err := openVPNClient.WriteToAuthFile("0"); err != nil { logger.ErrorContext(p.ctx, "write to auth file", slog.Any("err", err)) } return c.OpenVPNPluginFuncError // ← FIX: OpenVPN now correctly rejects the client ``` # Patches This vulnerability is fixed in **v1.27.3**. Users of the experimental plugin mode should upgrade immediately. - **Fix commit:** [`36f69a6`](https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2) - **Fix PR:** [#829](https://github.com/jkroepke/openvpn-auth-oauth2/pull/829) # Workarounds - **Switch to standalone management client mode** (the default, non-plugin deployment). This mode is not affected by the vulnerability because authentication decisions are communicated entirely through the management interface protocol, not through the plugin return code. - **Restrict VPN access at the network level** to only clients known to support WebAuth/SSO (e.g., OpenVPN Connect 3+), although this is difficult to enforce reliably and is not recommended as a sole mitigation.

الإصدارات المتأثرة

>= 1.26.3, < 1.27.3

نوع الثغرة

CWE-287 — Auth Bypass

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

المراجع

الوصف الكامل

A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-400 — DoS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

نوع الثغرة

CWE-121 — Stack Overflow

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.

نوع الثغرة

CWE-789 — CWE-789

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

Microsoft Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Attackers can paste a buffer of 2100 characters into the top right search bar to trigger an unhandled exception that crashes the application.

نوع الثغرة

CWE-470 — CWE-470

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted in github.com/bishopfox/sliver

الإصدارات المتأثرة

All versions < 0

المراجع

الوصف الكامل

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

نوع الثغرة

CWE-319 — CWE-319

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

المراجع

الوصف الكامل

A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.

نوع الثغرة

CWE-266 — CWE-266

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

المراجع

الوصف الكامل

### Summary A nil pointer dereference in `tunnelCloseHandler` causes the handler goroutine to panic whenever a reverse tunnel (rportfwd) close is attempted. Both the legitimate close path AND the unauthorized close path dereference `tunnel.SessionID` where `tunnel` is guaranteed nil. This means rportfwd tunnels can never be cleanly closed, and any authenticated implant can trigger repeated goroutine panics. ### Details File: `server/handlers/sessions.go` lines 172 and 175 The function enters an `else` block precisely because `core.Tunnels.Get(tunnelData.TunnelID)` returned `nil`. Both conditions inside that else block then dereference `tunnel.SessionID` instead of `rtunnel.SessionID`: ```go } else { rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID) if rtunnel != nil && session.ID == tunnel.SessionID { // LINE 172 — nil deref rtunnel.Close() rtunnels.RemoveRTunnel(rtunnel.ID) } else if rtunnel != nil && session.ID != tunnel.SessionID { // LINE 175 — nil deref sessionHandlerLog.Warnf("...") } } ``` Note: The identical bug was already fixed in `tunnelDataHandler` at lines 124/126 (correctly uses `rtunnel.SessionID`), but the fix was not applied to `tunnelCloseHandler`. ### PoC ```go tunnel := GetTunnel(999) // returns nil — no normal tunnel with this ID // tunnel is nil here rtunnel := GetRTunnel(999) // returns valid rtunnel owned by session-AAAA // Both lines below panic with: // runtime error: invalid memory address or nil pointer dereference if rtunnel != nil && sessionID == tunnel.SessionID { ... } // line 172 } else if rtunnel != nil && sessionID != tunnel.SessionID { ... } // line 175 ``` Confirmed on master commit `7ac4db3fa` with standalone reproducer. Output: ``` PANIC on line 172 (legitimate close): runtime error: invalid memory address or nil pointer dereference PANIC on line 175 (unauthorized close): runtime error: invalid memory address or nil pointer dereference ```    ### Impact - rportfwd tunnels **cannot be closed** — functional regression - Any authenticated implant can trigger repeated handler goroutine panics - rtunnel map entries leak (never cleaned up on close failure) - `recoverAndLogPanic()` prevents full server crash but silently drops the close operation ### Fix Replace `tunnel.SessionID` with `rtunnel.SessionID` on both lines: ```diff - if rtunnel != nil && session.ID == tunnel.SessionID { + if rtunnel != nil && session.ID == rtunnel.SessionID { rtunnel.Close() rtunnels.RemoveRTunnel(rtunnel.ID) - } else if rtunnel != nil && session.ID != tunnel.SessionID { + } else if rtunnel != nil && session.ID != rtunnel.SessionID { ```

الإصدارات المتأثرة

All versions < 0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

# Summary A Remote OOM (Out-of-Memory) vulnerability exists in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The `socketReadEnvelope` and `socketWGReadEnvelope` functions trust an attacker-controlled 4-byte length prefix to allocate memory, with `ServerMaxMessageSize` allowing single allocations of up to **~2 GiB**. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating **~256 GiB** of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have **no** upper-bound check at all. --- # Root Cause Analysis The C2 envelope framing protocol uses a 4-byte little-endian length prefix to delimit protobuf messages on the wire: ``` [raw_signature (74 bytes)] [uint32 length] [protobuf data] ``` In [socketReadEnvelope](https://github.com/BishopFox/sliver/blob/master/server/c2/mtls.go#L337-L392), after reading the length prefix, the server immediately allocates a buffer of the attacker-specified size: ```go // server/c2/mtls.go const ServerMaxMessageSize = (2 * 1024 * 1024 * 1024) - 1 // ~2 GiB dataLength := int(binary.LittleEndian.Uint32(dataLengthBuf)) if dataLength <= 0 || ServerMaxMessageSize < dataLength { return nil, errors.New("[pivot] invalid data length") } dataBuf := make([]byte, dataLength) // ← Allocates up to ~2 GiB // ... data is read into buffer ... // Envelope signature verification happens AFTER allocation and read: if !ed25519.Verify(pubKey, dataBuf, signature) { return nil, errors.New("[mtls] invalid signature") } ``` **Key issues:** 1. **Excessive limit**: `ServerMaxMessageSize` is set to `(2 * 1024 * 1024 * 1024) - 1` ≈ **2 GiB**, far exceeding any legitimate protobuf envelope (large payloads like screenshots and downloads are chunked at the RPC layer). 2. **Allocation before envelope verification**: While the TLS handshake validates the client certificate, the per-envelope ed25519 signature check (`ed25519.Verify`) occurs **after** the buffer allocation and `io.ReadFull`. Once the TLS connection is established, no further cryptographic proof is needed to trigger the allocation. 3. **Yamux amplification**: The yamux session allows up to `mtlsYamuxMaxConcurrentStreams = 128` concurrent streams. Each stream processes `socketReadEnvelope` independently, so a single connection can trigger **128 parallel ~2 GiB allocations**. 4. **Implant-side exposure**: The implant-side readers ([ReadEnvelope](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/mtls/mtls.go#L184) in mTLS/WireGuard, [read()](https://github.com/BishopFox/sliver/blob/master/implant/sliver/pivots/pivots.go#L478) in pivots) have **no upper-bound check at all** — they accept any `dataLength > 0`. The same pattern exists in [socketWGReadEnvelope](https://github.com/BishopFox/sliver/blob/master/server/c2/wireguard.go#L428-L487) for the WireGuard transport. _Note: The same unbounded allocation pattern is also present in implant-side readers, though it poses no immediate risk to the server [1](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/mtls/mtls.go#L185), [2](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/wireguard/wireguard.go#L178), [3](https://github.com/BishopFox/sliver/blob/master/implant/sliver/pivots/pivots.go), [4](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/pivotclients/pivotclient.go)._ --- # Proof of Concept PoC Links: [mtls_poc.go](https://github.com/skoveit/Sliver-OOM-DoS-PoC/) or [Gist Version](https://gist.github.com/skoveit/08f3ec08ffbf3deeff189a83ef827dcf) 1. **Establish mTLS connection**: Complete a valid TLS 1.3 handshake presenting a valid implant client certificate. 2. **Negotiate yamux**: Send the `MUX/1` preface to enter multiplexed stream mode. 3. **Open concurrent streams**: Open multiple yamux streams (up to 128). 4. **Send malicious length prefix**: On each stream, send a 74-byte raw signature buffer followed by a 4-byte length prefix claiming `0x7FFFFFFF` (2,147,483,647 bytes ≈ 2 GiB). No actual data needs to follow. 5. **Result**: Each stream triggers a `make([]byte, 0x7FFFFFFF)` allocation. With 128 concurrent streams, the server process attempts to allocate **up to ~256 GiB** of memory, causing the OS OOM killer to terminate the process. # Impact - **Server availability**: The Sliver server process is killed. Active implant sessions are disrupted until the operator manually restarts the server. - **Host degradation**: On hosts with swap enabled, the OOM event may cause swap thrashing and degrade other services sharing the same host before the process is killed.

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

المراجع

الوصف الكامل

A user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. > Credits > Artem Danilov (Positive Technologies)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

# Privilege Escalation to Admin via User Self-Update in wg-portal ## Summary Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. Tested against wg-portal v2.1.2 (Docker image `wgportal/wg-portal:v2`). ## Root Cause When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. ## Impact After the exploit, the attacker has full admin access to the WireGuard VPN management portal. They can: - Read and modify every user account - Create, modify, and delete WireGuard peers on any interface - View WireGuard interface configurations - Disable or lock other user accounts - Access the full user list and their API tokens ## Patches The problem was fixed in the latest release, [v2.1.3](https://github.com/h44z/wg-portal/releases/tag/v2.1.3). The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

WireGuard Portal v2 has Open Redirect Vulnerability in OAuth Authentication Flow in github.com/h44z/wg-portal. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/h44z/wg-portal before v2.1.2.

المراجع

الوصف الكامل

### Summary An Open Redirect vulnerability exists in the OAuth authentication flow that allows attackers to redirect users to external malicious websites after authentication. The vulnerability is caused by insufficient validation of the return parameter in the OAuth login initialization endpoint. ### Patches The problem was fixed in the latest release, v2.1.2. The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

### Summary A TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. ### Details Affected conponent: `apps/web/src/routes/api/tunnel/register.ts` - `/tunnel/register` endpoint code-: ```ts // Check if tunnel already exists in database const [existingTunnel] = await db .select() .from(tunnels) .where(eq(tunnels.url, tunnelUrl)); const isReconnection = !!existingTunnel; console.log( `[TUNNEL LIMIT CHECK] Org: ${organizationId}, Tunnel: ${tunnelId}`, ); console.log( `[TUNNEL LIMIT CHECK] Is Reconnection: ${isReconnection}`, ); console.log( `[TUNNEL LIMIT CHECK] Plan: ${currentPlan}, Limit: ${tunnelLimit}`, ); // Check limits only for NEW tunnels (not reconnections) if (!isReconnection) { // Count active tunnels from Redis SET const activeCount = await redis.scard(setKey); console.log( `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`, ); // The current tunnel is NOT yet in the online_tunnels set (added after successful registration) // So we check if activeCount >= limit (not >) if (activeCount >= tunnelLimit) { console.log( `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`, ); return json( { error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? "s" : ""}.`, }, { status: 403 }, ); } console.log( `[TUNNEL LIMIT CHECK] ALLOWED - ${activeCount} < ${tunnelLimit}`, ); } else { console.log(`[TUNNEL LIMIT CHECK] SKIPPED - Reconnection detected`); } if (existingTunnel) { // Tunnel with this URL already exists, update lastSeenAt await db .update(tunnels) .set({ lastSeenAt: new Date() }) .where(eq(tunnels.id, existingTunnel.id)); return json({ success: true, tunnelId: existingTunnel.id, }); } // Create new tunnel record const tunnelRecord = { id: randomUUID(), url: tunnelUrl, userId, organizationId, name: name || null, protocol, remotePort: remotePort || null, lastSeenAt: new Date(), createdAt: new Date(), updatedAt: new Date(), }; await db.insert(tunnels).values(tunnelRecord); return json({ success: true, tunnelId: tunnelRecord.id }); } catch (error) { console.error("Tunnel registration error:", error); return json({ error: "Internal server error" }, { status: 500 }); } ``` - It checks if the tunnel exists in the database. ```ts // Check if tunnel already exists in database const [existingTunnel] = await db .select() .from(tunnels) .where(eq(tunnels.url, tunnelUrl)); const isReconnection = !!existingTunnel; ``` - Limit is checked here-: ```ts // Check limits only for NEW tunnels (not reconnections) if (!isReconnection) { // Count active tunnels from Redis SET const activeCount = await redis.scard(setKey); console.log( `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`, ); ``` - Redis is checked for existing tunnel to check for reconnection. ```ts // Check limits only for NEW tunnels (not reconnections) if (!isReconnection) { // Count active tunnels from Redis SET const activeCount = await redis.scard(setKey); console.log( `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`, ); ``` - If the tunnel limit is exceeded, it pops up the tunnel limit error. ```ts if (activeCount >= tunnelLimit) { console.log( `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`, ); return json( { error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? "s" : ""}.`, }, { status: 403 }, ); ``` - If the limit is not exceeded, it triggers a the `Insert` Statement without locking transactions from other request ```ts await db.insert(tunnels).values(tunnelRecord); ``` - If parallel requests are made by the `wshandler` in `/outray/outray-main/apps/tunnel/src/core/WSHandler.ts` from the command line app. A request can work on a non updated row because the `insert` row has not been triggered allowing the user to bypass the limit. It is much explained in the proof of concept. The key takeaway is db transactions should remain locked. ### PoC Using this simple bash script, the `outray` binary will be run at the same time in one `tmux` window, demonstrating the race condition and opening 4 tunnels. ```bash #!/usr/bin/env bash # POC for Outray Tunnel Race condition SESSION="outray-race" PORTS=(8090 4000 5000 6000) # Create new detached tmux session tmux new-session -d -s "$SESSION" "echo '[*] outray race session started'; bash" # Split the panes and run outray for i in "${!PORTS[@]}"; do port="${PORTS[$i]}" if [ "$i" -ne 0 ]; then tmux split-window -t "$SESSION" -h tmux select-layout -t "$SESSION" tiled fi tmux send-keys -t "$SESSION" "echo '[*] Running outray on port $port'; outray $port" C-m done tmux set-window-option -t "$SESSION" synchronize-panes off echo "[+] tmux session '$SESSION' created" echo "[+] Attach with: tmux attach -t $SESSION" ``` Running this ``` seeker@instance-20260106-20011$ bash kay.sh [+] tmux session 'outray-race' created [+] Attach with: tmux attach -t outray-race seeker@instance-20260106-20011$ tmux attach -t outray-race ``` <img width="1909" height="1021" alt="image" src="https://github.com/user-attachments/assets/c234cc94-fc25-4542-abdf-815332493a85" /> <img width="1907" height="936" alt="image" src="https://github.com/user-attachments/assets/1c302d7f-1ca6-46af-ab72-60fd01cdfded" /> ### Impact By exploiting this TOCTOU race condition in the affected component, the intended limit is bypassed and server resources is used with no extra billing charges on the user.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.

المراجع

الوصف الكامل

### Summary Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (from a beacon) being used to attack operators. 2. Port forwardings usable from other implants. ### Details 1. Sliver treat operators' Wireguard config and beacon/session's Wireguard config equally, they both connect to the wireguard listener created from the CLI. 2. The current netstack implementation does not filter traffic between clients. I think this piece of code handle traffic between clients, from experimental results clients can ping and connect to each other freely, and I didn't see any filtering here either: ``` File: server\c2\wireguard.go 246: func socketWGWriteEnvelope(connection net.Conn, envelope *sliverpb.Envelope) error { 247: data, err := proto.Marshal(envelope) 248: if err != nil { 249: wgLog.Errorf("Envelope marshaling error: %v", err) 250: return err 251: } 252: dataLengthBuf := new(bytes.Buffer) 253: binary.Write(dataLengthBuf, binary.LittleEndian, uint32(len(data))) 254: connection.Write(dataLengthBuf.Bytes()) 255: connection.Write(data) 256: return nil 257: } 258: ``` 3. The docs says to use a Wireguard clients and operator wg-config to connect to the same WG listener as beacons: https://sliver.sh/docs?name=Port%20Forwarding 4. If the operator uses official wireguard clients that integrates with the OS's netstack (I'm using the [Windows client](https://www.wireguard.com/install/)) then their services are accessible on the wireguard interface's IP address (for example 100.64.0.3) when the services listen on 0.0.0.0 (SSH, RDP, SMB, etc)  5. The beacon's wireguard private key can be recovered through a process dump or other forensic techniques. 6. When a private key is recovered, an attacker can connect to 100.64.0.1:1337 (key exchange listener) to generate new wireguard clients without the operators' knowledge, in that way achieve persistence inside the wireguard network. ### PoC Easy way: 1. Create 2 operators wireguard config. 2. Connect them both to the wireguard listener. 3. From one machine, ping/scan/connect to the other's services like RDP (3389), SSH (22), etc. Slightly complicated way: 1. From the operator's machine, connect to the wireguard listener. 2. On the attacker's machine, run a beacon. 3. Dump the process 4. Find the private key, public key, endpoint, etc in the dump file:     5. Construct a valid Wireguard config based on the strings found. On the attacker's machine, connect to the Wireguard listener. 6. Ping/scan/connect to the other's services like RDP (3389), SSH (22), etc. ### Impact The operator's machine is impacted, if their services contain a vulnerability, an attacker can exploit it and gain RCE. If not then it could be used to gather information (Hostname, SSH signature, etc). ### Suggestion 1. Filter traffic between clients with a default-deny policy. 2. Differentiate between operators and beacons' wireguard config/client 3. Only allow specific one-way traffic when the operator request to open a Wireguard port forward. ### Vulnerable versions All versions containing wireguard functionality.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

## Overview Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. In this setup, Omni assigns a random IPv6 address to each Talos machine from a `/64` network block. Omni itself uses the fixed `::1` address within that same block. From Omni's perspective, this is a WireGuard interface with multiple peers, where each peer corresponds to a Talos machine. The WireGuard interface on Omni is configured to ensure that the **source IP address** of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it **performs no validation on the packet's destination address**. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. --- ## Impact This vulnerability creates two distinct attack scenarios based on Omni's `IP forwarding` configuration. 1. **IP Forwarding Disabled (Default)** If `IP forwarding` is disabled, an attacker on a Talos machine can send packets over SideroLink to any listening service on Omni itself (e.g., an internal API). If Omni is running in host networking mode, any service on the host machine could also be targeted. While this is the default configuration, Omni does not enforce it. 2. **IP Forwarding Enabled** If `IP forwarding` is enabled, an attacker on a Talos machine can communicate with other machines connected to Omni or route packets deeper into Omni's network. Although this is not the default configuration, Omni does not check for or prevent this state. ### Patches The problem has been fixed in Omni >= [0.48.0](https://github.com/siderolabs/omni/releases/tag/v0.48.0), the commit is https://github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60 ### Workarounds Disable IP forwarding, implement strict firewall rules. ### References None

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

المراجع

الوصف الكامل

NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0.

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

المراجع

الوصف الكامل

Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

المراجع

الوصف الكامل

### Impact When using [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg) in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. ### Patches This issue has been patched in https://github.com/cilium/cilium/pull/38592. This issue affects: - Cilium v1.15 between v1.15.0 and v1.15.15 inclusive - Cilium v1.16 between v1.16.0 and v1.16.8 inclusive - Cilium v1.17 between v1.17.0 and v1.17.2 inclusive This issue is fixed in: - Cilium v1.15.16 - Cilium v1.16.9 - Cilium v1.17.3 ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro and @pippolo84 for reporting this issue and to @julianwiedmann for the patch. ### For more information If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

الإصدارات المتأثرة

1.13.0 - 1.15.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

المراجع

الوصف الكامل

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

المراجع

الوصف الكامل

WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover in github.com/h44z/wg-portal. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/h44z/wg-portal from v2.0.0-alpha.1 before v2.0.0-alpha.3.

المراجع

الوصف الكامل

### Impact Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website. ### Patches The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.

الإصدارات المتأثرة

2.0.0-alpha.1 - 2.0.0-alpha.3

المراجع

الوصف الكامل

A new decloaking technique for nearly all VPN implementations has been found, which allows attackers to inject entries into the routing tables of unsuspecting victims using DHCP option 121. This allows attackers to redirect traffic, which is supposed to be sent encrypted over the VPN, through the physical interface handling DHCP for the network the victim's computer is connected to, effectively bypassing the VPN connection. ### Impact All users are potentially affected, as this attack vector can be used against _any_ VPN implementation without mitigations in place. ### Patches Currently, there are no existing mitigations employed by Quincy. ### Workarounds Disabling DHCP option 121 in the DHCP client is a potential workaround, as it prevents this kind of attack. ### References https://www.leviathansecurity.com/blog/tunnelvision

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.

المراجع

الوصف الكامل

### Impact For Cilium users who are using CRDs to store Cilium state (the default configuration) and [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg), responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium's internal health checks. ### Patches This issue affects Cilium v1.14 before v1.14.7. This issue has been patched in Cilium v1.14.7. ### Workarounds There is no workaround to this issue - affected users are encouraged to upgrade. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro for their work on triaging and remediating this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

الإصدارات المتأثرة

1.14.0 - 1.14.7

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

### Impact For Cilium users who have enabled [an external kvstore](https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore) and [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg), traffic between pods in the affected cluster is not encrypted. ### Patches This issue affects Cilium v1.14 before v1.14.7. This issue has been patched in Cilium v1.14.7. ### Workarounds There is no workaround to this issue - affected users are encouraged to upgrade. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

الإصدارات المتأثرة

1.14.0 - 1.14.7

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several product lines from Check Point, including CloudGuard Network, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.

المراجع

الوصف الكامل

### Impact Users of [IPsec transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-ipsec/) in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker: - Chosen plaintext attacks - Key recovery attacks - Replay attacks These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. **Important:** After upgrading, users must perform a key rotation using the instructions [here](https://docs.cilium.io/en/latest/security/network/encryption-ipsec/#key-rotation) to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign. ### Patches All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue. Patched versions: - Cilium 1.15.3 - Cilium 1.14.9 - Cilium 1.13.14 ### Workarounds There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade. ### Acknowledgements The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @NikAleksandrov and @pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: [security@cilium.io](mailto:security@cilium.io) - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

الإصدارات المتأثرة

1.4.0 - 1.13.14

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

المراجع

الوصف الكامل

### Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted **Note:** For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below. ### Patches This issue affects: - Cilium v1.15 before v1.15.2 - Cilium v1.14 before v1.14.8 - Cilium v1.13 before v1.13.13 - Cilium v1.4 to v1.12 inclusive This issue has been resolved in: - Cilium v1.15.2 - Cilium v1.14.8 - Cilium v1.13.13 ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jschwinger233, @julianwiedmann, @giorio94, and @jrajahalme for their work in triaging and resolving this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

الإصدارات المتأثرة

1.14.0 - 1.13.13

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

### Impact In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes. - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes. ### Patches This issue affects: * In native routing mode (`routingMode=native`): * Cilium v1.14 versions before v1.14.8 * Cilium v1.15 versions before v1.15.2 * In tunneling mode (`routingMode=tunnel`): * Cilium v1.14 versions before v1.14.4 * Cilium v1.14.4 if `encryption.wireguard.encapsulate` is set to `false` (default). This issue has been resolved in: * In native routing mode (`routingMode=native`): * Cilium v1.14.8 * Cilium v1.15.2 * In tunneling mode (`routingMode=tunnel`): * Cilium v1.14.4. **NOTE** `encryption.wireguard.encapsulate` must be set to `true`. ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @brb, @giorio94, @gandro and @jschwinger233 for their work on triaging and remediating this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

الإصدارات المتأثرة

1.14.0 - 1.14.8

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

المراجع