CVE-2021-32780 in Envoy
Summary
by MITRE • 08/25/2021
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/29/2021
CVE-2021-32780 represents a critical denial of service vulnerability in the Envoy proxy software that operates at the application layer and serves as a communication bus for modern service-oriented architectures. This vulnerability specifically affects the HTTP/2 connection state management within Envoy's proxy implementation, where improper handling of connection state transitions leads to process termination. The flaw manifests when an upstream server sends a GOAWAY frame followed by a SETTINGS frame with SETTINGS_MAX_CONCURRENT_STREAMS set to zero within the same I/O event, creating an invalid state transition from CLOSED to DRAINING that causes the Envoy process to crash. This vulnerability is classified under CWE-691 as an Insufficient Control Flow Management, which directly relates to improper handling of state transitions in network protocol implementations. The issue stems from the fundamental design assumption that connection state transitions follow a valid sequence, but the combination of these specific HTTP/2 frames creates a scenario where the proxy's internal state machine encounters an undefined condition that results in process termination rather than graceful error handling.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire service mesh architecture that relies on Envoy for traffic management and communication. When exploited by an untrusted upstream server, this vulnerability can cause cascading failures throughout the system, particularly in environments where Envoy is used as a sidecar proxy in containerized applications or as a service mesh component in microservices architectures. The vulnerability is particularly dangerous in production environments where upstream servers might be compromised or where malicious actors could potentially manipulate traffic flows to trigger this specific sequence of frames. The attack vector requires only that an untrusted upstream server be able to send HTTP/2 frames to the Envoy proxy, which is common in distributed systems where trust boundaries are not always strictly enforced. This aligns with ATT&CK technique T1190 - Exploit Public-Facing Application, as it exploits a vulnerability in a widely deployed network service that accepts connections from untrusted sources.
The fix implemented in Envoy versions 1.19.1 and 1.18.4 addresses the root cause by ensuring that pending HTTP/2 frames are no longer processed after a connection transitions to the CLOSED state, thereby preventing the invalid state transition that leads to process termination. This mitigation strategy follows the principle of defensive programming by establishing clear boundaries around connection state handling and preventing further frame processing when a connection has been explicitly closed. The solution implements proper state validation checks that prevent the DRAINING state transition from occurring when the connection is already in the CLOSED state, effectively creating a barrier that prevents the process from entering an undefined state. Organizations implementing this fix should also consider monitoring for unusual connection state transitions and implementing additional security controls around upstream server trust relationships, as this vulnerability highlights the importance of robust state machine design in network protocol implementations. The vulnerability demonstrates the critical importance of proper state management in distributed systems and the potential for seemingly minor protocol handling issues to result in complete service outages that can affect entire application architectures.