ISTIO-SECURITY-2021-008

Multiple CVEs related to AuthorizationPolicy, EnvoyFilter and Envoy.

Aug 24, 2021

Disclosure Details
CVE(s)CVE-2021-32777
CVE-2021-32781
CVE-2021-32778
CVE-2021-32780
CVE-2021-39155
CVE-2021-39156
CVSS Impact Score8.6 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected ReleasesAll releases prior to 1.9.8
1.10.0 to 1.10.3
1.11.0

CVEs

Envoy, and subsequently Istio, is vulnerable to six newly discovered vulnerabilities (note that Envoy’s CVE-2021-32779 is merged with Istio’s CVE-2021-39156):

CVE-2021-39156 (CVE-2021-32779)

Istio contains a remotely exploitable vulnerability, CVE-2021-39156, where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass Istio’s URI path-based authorization policies. For instance, an Istio authorization policy denies requests sent to the URI path /user/profile. In the vulnerable versions, a request with URI path /user/profile#section1 bypasses the deny policy and routes to the backend (with the normalized URI path /user/profile%23section1), possibly leading to a security incident.

The fix depends on a fix in Envoy, which is associated with CVE-2021-32779.

You are impacted by this vulnerability if:

With the mitigation, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.

To opt-out from the new behavior in the mitigation, the fragment section in the URI will be kept. You can configure your installation as follows.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: opt-out-fragment-cve-fix
  namespace: istio-system
spec:
  meshConfig:
    defaultConfig:
      proxyMetadata:
        HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false"

CVE-2021-39155

Istio contains a remotely exploitable vulnerability where an HTTP request could potentially bypass an Istio authorization policy when using rules based on hosts or notHosts. In the vulnerable versions, the Istio authorization policy compares the HTTP Host or :authority headers in a case-sensitive manner, which is inconsistent with RFC 4343. For example, the user could have an authorization policy that rejects requests with host secret.com, but the attacker can bypass this by sending the request with hostname Secret.com. The routing flow routes the traffic to the backend for secret.com which is a policy violation.

See CVE-2021-39155 for more information.

You are impacted by this vulnerability if:

With the mitigation, when authorization policies based on hosts or notHosts are used, the Istio authorization policy compares the HTTP Host or :authority headers in a case-insensitive manner to the hosts or notHosts specs.

CVE-2021-32777

Envoy contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do an incomplete authorization policy check when the ext_authz extension is used. When a request header contains multiple values, the external authorization server will only see the last value of the given header. See CVE-2021-32777 for more information.

You are impacted by this vulnerability if:

CVE-2021-32778

Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption. See CVE-2021-32778 for for information.

You are impacted by this vulnerability if you use Istio patch versions earlier than 1.9.8, 1.10.4 or 1.11.1.

CVE-2021-32780

Envoy contains a remotely exploitable vulnerability where an untrusted upstream service could cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. See CVE-2021-32780 for more information.

You are impacted by this vulnerability if you use Istio patch versions 1.10.0 to 1.10.3 or 1.11.0.

CVE-2021-32781

Envoy contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally. See CVE-2021-32781 for more information.

You are impacted by this vulnerability if:

Mitigation

To mitigate the above CVEs, update your cluster to the latest supported version:

Non-CVE vulnerabilities

Istio does not ignore ports in AuthorizationPolicy host and notHosts comparisons

When creating a VirtualService or Gateway, Istio generates configuration matching both the hostname itself and the hostname with all matching ports. For instance, a VirtualService or Gateway for a host of httpbin.foo generates a config matching httpbin.foo and httpbin.foo:*. However, an AuthorizationPolicy using exact match only matches the exact string given for the hosts or notHosts fields.

Your cluster is impacted if you have an AuthorizationPolicy using exact string comparison for the hosts or notHosts.

AuthorizationPolicy Mitigation

Update your authorization policy rules to use prefix match instead of exact match. For example, to match a VirtualService or Gateway with a host of httpbin.com , create an AuthorizationPolicy with hosts: ["httpbin.com", "httpbin.com:*"] as shown below.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  action: DENY
  rules:
  - from:
    - source:
        namespaces: ["dev"]
    to:
    - operation:
        hosts: ["httpbin.com", "httpbin.com:*"]

Credit

We would like to thank Yangmin Zhu (Google) for reporting some of the above issues.