ISTIO-SECURITY-2021-005
HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules.
Disclosure Details | |
---|---|
CVE(s) | CVE-2021-31920 |
CVSS Impact Score | 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Affected Releases | All releases prior to 1.8.6 1.9.0 to 1.9.4 |
Issue
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F
or %5C
)
could potentially bypass an Istio authorization policy when path based authorization rules are used. Related Envoy CVE:
CVE-2021-29492
.
For example, assume an Istio cluster administrator defines an authorization DENY policy to reject the request at path /admin
.
A request sent to the URL path //admin
will NOT be rejected by the authorization policy.
According to the RFC 3986,
the path //admin
with multiple slashes should technically be treated as a different path from the /admin
.
However, some backend services choose to normalize the URL paths by merging multiple slashes to a single slash.
This can result in a bypass of the authorization policy (//admin
does not match /admin
) and a user can access the resource at path /admin
in the backend; this would represent a security incident.
Am I impacted?
Your cluster is impacted by this vulnerability if you have authorization policies using ALLOW action + notPaths field
or DENY action + paths field
patterns.
These patterns are vulnerable to unexpected policy bypasses and you should upgrade to fix the security issue as soon as possible.
The following is an example of vulnerable policy that uses DENY action + paths field
pattern:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-path-admin
spec:
action: DENY
rules:
- to:
- operation:
paths: ["/admin"]
The following is another example of vulnerable policy that uses ALLOW action + notPaths field
pattern:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-path-not-admin
spec:
action: ALLOW
rules:
- to:
- operation:
notPaths: ["/admin"]
Your cluster is NOT impacted by this vulnerability if:
- You don’t have authorization policies
- Your authorization policies don’t define
paths
ornotPaths
fields. - Your authorization policies use
ALLOW action + paths field
orDENY action + notPaths field
patterns. These patterns could only cause unexpected rejection instead of policy bypasses. The upgrade is optional for these cases.
Mitigation
- Update your cluster to the latest supported version.
These versions support configuring the Envoy proxies in the system with more normalization options:
- Istio 1.8.6, if using 1.8.x
- Istio 1.9.5 or up
- The patch version specified by your cloud provider
- Follow the security best practices to configure your authorization policies.
Credit
We would like to thank Ruilin
and Test123
for discovering this issue.