Cyber Resilience

CVE-2024-47825

Medium

Published: 21 October 2024

Published
21 October 2024
Modified
19 December 2024
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Score 0.0031 54.2th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47825 is a medium-severity Incorrect Default Permissions (CWE-276) vulnerability in Cilium Cilium. Its CVSS base score is 4.0 (Medium).

Operationally, ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is…

more

a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using `enableDefaultDeny: false` or that set `toEntities` to `all`, some workarounds are available. For users with policies using `enableDefaultDeny: false`, remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify `toEntities: all`, use `toEntities: world`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cilium
cilium
1.14.0 — 1.14.16 · 1.15.0 — 1.15.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-276

Access control policy can specify and enforce secure default permissions for resources.

addresses: CWE-276

Guides setting of default permissions to the minimum required level.

addresses: CWE-276

Establishes requirements for appropriate default permissions on system resources as part of configuration management.

addresses: CWE-276

Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.

addresses: CWE-276

Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources.

addresses: CWE-276

Requires documented processes that include setting and maintaining correct default permissions for configuration items.

addresses: CWE-276

Requires addressing secure default permissions in physical and environmental protection controls.

addresses: CWE-276

Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs.

References