Plattform
go
Komponente
github.com/projectcalico/calico
Behoben in
v3.26.5
v3.27.3
v3.17.4
v3.18.2
v3.19.0-2.0
v19.3.0
3.26.5
CVE-2024-33522 describes a privilege escalation vulnerability within the Calico network security platform. This flaw could allow an attacker to gain elevated privileges, potentially compromising network security policies and data. The vulnerability affects Calico versions 3 before 3.26.5 and 3.27.0 before 3.27.3. A fix has been released in version 3.26.5.
Successful exploitation of CVE-2024-33522 could enable an attacker to bypass Calico's security controls and gain unauthorized access to network resources. This could manifest as the ability to modify network policies, intercept traffic, or even compromise the underlying Kubernetes cluster where Calico is deployed. The potential blast radius is significant, as a compromised Calico instance can impact the entire network it protects. While the specific attack vector remains undisclosed, the privilege escalation nature suggests a sophisticated attacker with a deep understanding of Calico's internal workings would be required.
CVE-2024-33522 was publicly disclosed on June 10, 2024. The vulnerability's severity is rated as MEDIUM. Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. Given the nature of privilege escalation vulnerabilities, it is prudent to assume that attackers may actively seek to exploit this flaw, especially as more details become publicly available.
Organizations heavily reliant on Calico for network security and segmentation are at increased risk. This includes those deploying Calico in Kubernetes environments, cloud-native applications, and zero-trust network architectures. Specifically, deployments using older versions of Calico (prior to 3.26.5 and 3.27.3) are directly vulnerable.
• linux / server:
journalctl -u calico-node --since "1 hour ago" | grep -i "error"• linux / server:
ps aux | grep calico-node• generic web:
curl -I <calico_api_endpoint>• generic web:
cat /var/log/nginx/access.log | grep "/api/v3"disclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-33522 is to upgrade Calico to version 3.26.5 or later. If an immediate upgrade is not possible due to compatibility constraints or testing requirements, consider implementing stricter access controls and network segmentation to limit the potential impact of a successful exploit. Monitor Calico logs for any suspicious activity, particularly related to privilege elevation attempts. While no specific WAF rules or detection signatures are currently available, reviewing Calico's internal audit logs for unusual permission changes is recommended. After upgrading, confirm the fix by verifying the Calico version and checking for any unexpected changes to network policies.
Actualice Calico a la versión 3.26.5 o superior, 3.27.3 o superior, 3.17.4 o superior, 3.18.2 o superior, 3.19.0-2.0 o superior, o 19.3.0 o superior, según corresponda a su versión de Calico, Calico Enterprise o Calico Cloud. Esto corrige la configuración incorrecta del bit SUID en el binario de instalación de CNI, evitando la escalada de privilegios. Consulte las notas de la versión para obtener detalles adicionales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-33522 is a medium-severity vulnerability in Calico versions 3 before 3.26.5 and 3.27.0 before 3.27.3 that allows an attacker to potentially escalate privileges within the network security platform.
You are affected if you are using Calico version 3 before 3.26.5 or version 3.27.0 before 3.27.3. Check your Calico version and upgrade accordingly.
Upgrade Calico to version 3.26.5 or later. Review the release notes for any breaking changes before upgrading and test in a non-production environment first.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate remediation.
Refer to the official Calico security advisory for detailed information and updates: https://www.projectcalico.org/security/advisories/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.