Skip to content

Abnormal termination when using auto_sni with :authority header longer than 255 characters

High
phlax published GHSA-3mh5-6q8v-25wj Apr 18, 2024

Package

TLS/SNI (Envoyproxy)

Affected versions

> 1.13, < 1.30.1

Patched versions

1.30.1, 1.29.4, 1.28.3, 1.27.5

Description

Summary

When an upstream TLS cluster is used with auto_sni enabled, a request containing a host/:authority (or alternate header configured via override_auto_sni_header ) header longer than 255 characters triggers an abnormal termination of Envoy process.

Affected Components

TLS component for outbound connections.

Details

Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the host/:authority header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails.

Impact

Denial of Service due to abnormal process termination.

Attack vector(s)

A client request with host/:authority header (or alternate header configured via override_auto_sni_header ) longer than 255 characters that is proxied to Envoy cluster with auto_sni option set to true.

Patches

This bug affects all currently maintained versions (and all versions from 1.13 to 1.30): 1.27.x, 1.28.x, 1.29.x, 1.30.x.

This bug is fixed in our latest versions. Update to the following versions to resolve:

  • >=1.30.1
  • >=1.29.4
  • >=1.28.3
  • >=1.27.5

Workarounds

Possible ways to prevent the crash:

  1. Use Lua or Wasm filter to validate the host before sending it to upstream. This should work for all versions that are effected by this bug. See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter
  2. Drop the requests with host/:authority longer than 255 characters (i.e. using regular expression matcher) by setting route match rules (to send local reply). You should make the special route first in the route table to ensure all problematic requests are caught.
  3. Drop the requests with host/:authority values longer than 255 bytes with a custom HTTP filter.
  4. Rewrite the host/:authority to a trusted value shorter than 255 characters with request_headers_to_add, host_rewrite_specifier, or a custom HTTP filter.
  5. Set the auto_sni option to false.

Detection

Abnormal process termination with the assert failure: rc. Details: error:100000d5:SSL routines:OPENSSL_internal:SSL3_EXT_INVALID_SERVERNAME message in the error log.

Credits

Adiyamankottai Rajaram, Archana [email protected]

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-32475

Weaknesses