Skip to content

Envoy crashes for `LocalReply` in HTTP async client

Moderate
phlax published GHSA-qm74-x36m-555q Sep 19, 2024

Package

Envoy

Affected versions

< 1.32.0

Patched versions

1.31.2, 1.30.6, 1.29.9, 1.28.7

Description

Summary

Envoy will crash when the HTTP async client is handling sendLocalReply under some circumstance, e.g., WebSocket upgrade, and requests mirroring.

Details

The HTTP async client can crash during the sendLocalReply() in HTTP async client.

One reason is HTTP async client is duplicating the status code, and another is the router is destroyed at the destructor of the async stream, while the stream is deferred deleted at first.

This can create a problem where the stream decoder is destroyed but its reference is called in router.onDestroy(), causing a segfault.

This can impact ext_authz if the upgrade and connection header are allowed, and request mirrorring is enabled.

PoC

  • config allowed_headers to match any headers or
    patterns:
    - exact: upgrade
    - exact: connection
  • Send WebSocket upgrade requests
  • The authentication server sends back 400 to reject the auth request.
  • Then Envoy will crash

Impact

Envoy will crash to stop serving any traffic

Credits

Nick Van Dyck ([email protected])

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-45810

Weaknesses

No CWEs

Credits