Summary
The output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. The sensitive data is the WireGuard private key (cilium_wg0.key) used for node-to-node encrypted communication. Users of WireGuard Transparent Encryption are affected.
Impact
cilium-bugtool is a debugging tool typically invoked manually — it does not run during the normal operation of a Cilium cluster — and is also invoked when gathering sysdumps via the Cilium CLI's cilium sysdump command. Any bugtool or sysdump archive collected from a WireGuard-enabled cluster on an affected version may contain the node's WireGuard private key. An attacker with access to such an archive can decrypt or impersonate node-to-node WireGuard traffic for the affected node.
Detection
Audit any previously-shared bugtool or sysdump archives from WireGuard-enabled nodes for the presence of cilium_wg0.key. Treat archives uploaded to ticket systems, shared cloud storage, or distributed for support purposes as potentially compromised. Cluster operators should also confirm whether WireGuard transparent encryption is enabled (kubectl -n kube-system get configmap cilium-config -o yaml | grep encryption).
Mitigation
Upgrade to a patched version on the appropriate release line:
- Cilium v1.19.3 or later (for the 1.19 line)
- Cilium v1.18.9 or later (for the 1.18 line)
- Cilium v1.17.15 or later (for the 1.17 line and earlier)
There is no workaround for the underlying issue. Users who have previously shared bugtool or sysdump archives from WireGuard-enabled nodes should rotate the WireGuard keys on the affected nodes. This can be done by deleting the key file and restarting the Cilium agent, which will generate a new key pair.