=============================================================================================================================================
| # Title     : Cilium 1.18.0–1.18.5 eBPF Datapath Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://cilium.io/                                                                                                          |
=============================================================================================================================================

[+] Summary    : This Python script performs a comprehensive node-level analysis to assess the Cilium 1.18.0–1.18.5 vulnerability 
                 that allows cross-node Pod traffic to bypass Host Firewall policies when Native Routing, WireGuard, and Node Encryption are enabled.
				 
[+] POC   :  

#!/usr/bin/env python3

import subprocess
import re
import os

CILIUM_REPO = "/tmp/cilium_repo"
VERSION_A = "v1.18.5"
VERSION_B = "v1.18.6"

def run(cmd):
    try:
        return subprocess.check_output(cmd, shell=True).decode()
    except:
        return ""

def section(title):
    print("\n" + "="*60)
    print(title)
    print("="*60)

def check_version():
    section("CILIUM VERSION")
    out = run("cilium version")
    print(out)
    match = re.search(r"v(\d+\.\d+\.\d+)", out)
    return match.group(1) if match else "Unknown"

def check_config():
    section("CILIUM CONFIG")
    print(run("cilium config"))

def check_wireguard():
    section("WIREGUARD STATUS")
    print(run("cilium status | grep -i wireguard"))

def check_bpf_attach_points():
    section("BPF ATTACH POINTS")
    print(run("bpftool net attach show"))

def check_bpf_programs():
    section("LOADED BPF PROGRAMS")
    print(run("bpftool prog show | grep cilium"))

def check_bpf_maps():
    section("BPF MAPS")
    print(run("bpftool map show | grep cilium"))

def dump_policy_map():
    section("POLICY MAP DUMP")
    print(run("bpftool map dump name cilium_policy 2>/dev/null"))

def clone_repo():
    section("CLONING CILIUM SOURCE")
    if not os.path.exists(CILIUM_REPO):
        run(f"git clone https://github.com/cilium/cilium.git {CILIUM_REPO}")

def diff_datapath():
    section("DIFF DATAPATH BETWEEN 1.18.5 AND 1.18.6")

    os.chdir(CILIUM_REPO)

    run(f"git checkout {VERSION_A}")
    run("cp -r bpf /tmp/bpf_a")

    run(f"git checkout {VERSION_B}")
    run("cp -r bpf /tmp/bpf_b")

    diff = run("diff -ru /tmp/bpf_a /tmp/bpf_b | grep -E 'bpf_host|bpf_wireguard|policy|nodeport'")

    print(diff if diff else "No relevant datapath diff found.")

def analyze_root_cause(version):
    section("ROOT CAUSE ANALYSIS")

    if version.startswith("1.18.") and version <= "1.18.5":
        print("Version within vulnerable range.")
        print("""
Likely Root Cause:
- WireGuard decrypt path reinjects packet
- Host firewall hook not triggered
- Identity context not revalidated
- Policy map lookup skipped or misordered
""")
    else:
        print("Version likely patched (>= 1.18.6).")
        print("""
Patch likely:
- Reordered host firewall hook
- Ensured policy lookup after decrypt
- Fixed identity propagation
""")

def main():
    version = check_version()
    check_config()
    check_wireguard()
    check_bpf_attach_points()
    check_bpf_programs()
    check_bpf_maps()
    dump_policy_map()
    clone_repo()
    diff_datapath()
    analyze_root_cause(version)

if __name__ == "__main__":
    main()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================