Headline
CVE-2023-27487: Client may fake the header `x-envoy-original-path`
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header x-envoy-original-path
should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for jwt_authn
checks if the jwt_authn
filter is used, and any other upstream use of the x-envoy-original-path header. Attackers may forge a trusted x-envoy-original-path
header. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 have patches for this issue.
Impact
Bypass JWT checks, forge fake original paths.
Affected components
Trace logs, gRPC logs, JWT filter.
Attack vector/s
The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.
The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for jwt_authn checks if the jwt_authn filter is used, and any other upstream use of the x-envoy-original-path header.
Description
Trusted x-envoy-original-path header can be forged by attackers
Example exploit or proof-of-concept
Client request:
$ curl -H “x-envoy-original-path: /fake” http://localhost:8080/real-path/
Access log, using the default log format:
[2023-02-28T19:26:53.660Z] “GET /fake HTTP/1.1” 200 - 0 3257 1 0 "-" “curl/7.82.0” “36174006-b793-4e40-8a38-a3d17a2a37a0” “localhost:8080” “172.18.98.50:8020”
Related news
Red Hat Security Advisory 2023-4623-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27487: A flaw was found in envoy. The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header could then be used for trace logs and grpc logs, used in the URL for jwt_authn checks if the jwt_authn filter is used, and any other upstr...
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...