CVE-2023-27488 in Envoy
Summary
by MITRE • 04/04/2023
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with ``failure_mode_allow: true``, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy by default sanitizes the values sent in gRPC service calls to be valid UTF-8, replacing data that is not valid UTF-8 with a `!` character. This behavioral change can be temporarily reverted by setting runtime guard `envoy.reloadable_features.service_sanitize_non_utf8_strings` to false. As a workaround, one may set `failure_mode_allow: false` for `ext_authz`.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/05/2023
The vulnerability CVE-2023-27488 affects Envoy proxy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, specifically when the ext_authz filter is configured with `failure_mode_allow: true`. This represents a critical privilege escalation risk that stems from improper handling of non-UTF-8 data in HTTP headers during gRPC service communications. The flaw manifests when Envoy processes requests containing invalid UTF-8 sequences through filters such as ext_authz, ext_proc, tap, ratelimit, and grpc access log service components. When these components encounter malformed protobuf messages generated from non-UTF-8 header data, the receiving services typically produce decoding errors that can lead to unexpected behavior.
The technical implementation of this vulnerability resides in how Envoy sanitizes data for gRPC communications. When non-UTF-8 characters are present in HTTP headers, the proxy generates invalid protobuf messages that fail during decoding by the receiving service. This creates a security boundary violation where the system's default behavior changes based on the presence of malformed data. For ext_authz filters configured with `failure_mode_allow: true`, the vulnerability allows requests to proceed despite the protocol error, effectively bypassing authorization controls. This aligns with CWE-20: Improper Input Validation, where the system fails to properly validate input data before processing it through critical security components.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete loss of visibility and logging integrity within cloud-native environments. When the receiving services cannot properly decode the malformed protobuf messages, they often fail to log requests or generate errors that can cascade into system instability. This affects logging and monitoring systems that depend on these gRPC services for operational visibility, potentially masking malicious activities or legitimate operational issues. The vulnerability particularly impacts environments where security policies rely on authorization enforcement through ext_authz, as the system may inadvertently allow unauthorized access when it should have denied requests.
Organizations can mitigate this vulnerability through multiple approaches that align with established security frameworks. The primary remediation involves upgrading to the patched versions of Envoy where default behavior sanitizes gRPC service calls to ensure valid UTF-8 encoding, replacing invalid sequences with the `!` character. This default sanitization addresses the root cause by preventing malformed protobuf messages from being transmitted. System administrators can temporarily revert to the previous behavior by setting the runtime guard `envoy.reloadable_features.service_sanitize_non_utf8_strings` to false, though this should only be used as a temporary workaround. A more immediate mitigation strategy involves changing the ext_authz configuration to set `failure_mode_allow: false`, which ensures that protocol errors result in request denial rather than unauthorized access. This aligns with the principle of least privilege and follows ATT&CK technique T1078.002: Valid Accounts, by preventing the exploitation of authorization bypass mechanisms through malformed data injection attacks. The vulnerability demonstrates how seemingly benign data handling issues can create significant security implications in cloud-native proxy environments where multiple security filters interoperate.