Omni Wireguard SideroLink potential escape
Description
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet's destination address. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. This issue has been patched in version 0.48.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siderolabs/omniGo | < 0.48.0 | 0.48.0 |
Affected products
1- Range: < 0.48.0
Patches
1a5efd816a239feat: validate incoming packets addresses in siderolink manager
3 files changed · +12 −10
go.mod+2 −2 modified@@ -80,7 +80,7 @@ require ( github.com/siderolabs/kms-client v0.1.0 github.com/siderolabs/omni/client v0.45.0 github.com/siderolabs/proto-codec v0.1.2 - github.com/siderolabs/siderolink v0.3.12 + github.com/siderolabs/siderolink v0.3.13 github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.1 @@ -97,6 +97,7 @@ require ( golang.org/x/crypto v0.35.0 golang.org/x/net v0.35.0 golang.org/x/sync v0.11.0 + golang.org/x/time v0.10.0 golang.org/x/tools v0.29.0 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 @@ -251,7 +252,6 @@ require ( golang.org/x/sys v0.30.0 // indirect golang.org/x/term v0.29.0 // indirect golang.org/x/text v0.22.0 // indirect - golang.org/x/time v0.10.0 // indirect golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect google.golang.org/genproto v0.0.0-20250204164813-702378808489 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250227231956-55c901821b1e // indirect
go.sum+2 −2 modified@@ -445,8 +445,8 @@ github.com/siderolabs/proto-codec v0.1.2 h1:KYrRiCk5wdA2ilZZoW4bWtICCF4y3r28Fhmu github.com/siderolabs/proto-codec v0.1.2/go.mod h1:TCsjpw732TWuOx4Vd4gYhivPOttEhdPvczLfMQ6Y9Dc= github.com/siderolabs/protoenc v0.2.2 h1:vVQDrTjV+QSOiroWTca6h2Sn5XWYk7VSUPav5J0Qp54= github.com/siderolabs/protoenc v0.2.2/go.mod h1:gtkHkjSCFEceXUHUzKDpnuvXu1mab9D3pVxTnQN+z+o= -github.com/siderolabs/siderolink v0.3.12 h1:DisnXbHNlI2VvS7OfKRkLGlGS8LSk4Ct6isnBRo/Xhk= -github.com/siderolabs/siderolink v0.3.12/go.mod h1:g/QSKmgzJcea/PZ1TKFZZAE0JmQgBHDA1j0itQSmiM8= +github.com/siderolabs/siderolink v0.3.13 h1:v5tDcEEc7Fr8DpKuzNkAfnCW203iMcM52Mf0bhFSwyw= +github.com/siderolabs/siderolink v0.3.13/go.mod h1:g/QSKmgzJcea/PZ1TKFZZAE0JmQgBHDA1j0itQSmiM8= github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0 h1:ik7cXQu7YqkV/Ryd8yU+xlckn0csmpQwV1KZEeCINdw= github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0/go.mod h1:gFqGUE60R9EdIkNCzxcJ55Y6bv2d4i5+KLbou3rzpQ0= github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA=
internal/pkg/siderolink/manager.go+8 −6 modified@@ -28,6 +28,7 @@ import ( eventsapi "github.com/siderolabs/siderolink/api/events" pb "github.com/siderolabs/siderolink/api/siderolink" "github.com/siderolabs/siderolink/pkg/events" + "github.com/siderolabs/siderolink/pkg/tun" "github.com/siderolabs/siderolink/pkg/wgtunnel/wgbind" "github.com/siderolabs/siderolink/pkg/wgtunnel/wggrpc" "github.com/siderolabs/siderolink/pkg/wireguard" @@ -383,12 +384,13 @@ func (manager *Manager) startWireguard(ctx context.Context, eg *errgroup.Group, } if err = manager.wgHandler.SetupDevice(wireguard.DeviceConfig{ - Bind: wgbind.NewServerBind(conn.NewDefaultBind(), manager.virtualPrefix, manager.peerTraffic, manager.logger), - PeerHandler: peerHandler, - Logger: manager.logger, - ServerPrefix: serverAddr, - PrivateKey: key, - ListenPort: uint16(port), + Bind: wgbind.NewServerBind(conn.NewDefaultBind(), manager.virtualPrefix, manager.peerTraffic, manager.logger), + PeerHandler: peerHandler, + Logger: manager.logger, + ServerPrefix: serverAddr, + PrivateKey: key, + ListenPort: uint16(port), + InputPacketFilters: []tun.InputPacketFilter{tun.FilterAllExceptIP(serverAddr.Addr())}, }); err != nil { return err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hqrf-67pm-wgfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59824ghsaADVISORY
- github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60ghsax_refsource_MISCWEB
- github.com/siderolabs/omni/security/advisories/GHSA-hqrf-67pm-wgfqghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3979ghsaWEB
News mentions
0No linked articles in our index yet.