CVE-2024-23325 in envoy
Summary
by MITRE • 02/10/2024
Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/10/2024
The vulnerability described in CVE-2024-23325 represents a critical crash condition within the Envoy proxy software that manifests when processing Proxy protocol traffic with unsupported address types. This issue specifically impacts systems where IPv6 functionality has been disabled at the operating system level while Envoy is configured to accept Proxy protocol connections. The flaw occurs during the processing of client connections where the client presents an IPv6 address to a server that operates exclusively on IPv4 connectivity, creating a scenario that triggers an unhandled exception in the proxy's address resolution logic. This represents a fundamental failure in protocol handling and address family validation within the proxy's networking stack.
The technical implementation of this vulnerability stems from inadequate error handling in Envoy's Proxy protocol parser when encountering IPv6 addresses on systems where IPv6 support is not available. When a client sends a Proxy protocol header containing an IPv6 address to a server configured with IPv6 disabled, the proxy attempts to process the address without proper validation of the underlying OS capabilities. This leads to a segmentation fault or similar crash condition that terminates the Envoy process, effectively causing a denial of service. The vulnerability is categorized under CWE-248 as an Uncaught Exception and also relates to CWE-122 as an Incorrect Heap Allocation Size, as the crash occurs during memory allocation operations when processing unsupported address types.
From an operational perspective, this vulnerability creates significant risk for environments where IPv6 is disabled for security or compliance reasons but Proxy protocol functionality remains essential for connection handling. Organizations running Envoy proxies in such configurations face potential service disruption when legitimate client connections attempt to use IPv6 addressing. The impact extends beyond simple availability issues as the crash can occur with legitimate traffic patterns, making it particularly dangerous in production environments where service reliability is paramount. This vulnerability aligns with ATT&CK technique T1499.004 for Network Denial of Service, as it enables an attacker to potentially cause system crashes through carefully crafted Proxy protocol headers.
The resolution for this vulnerability requires upgrading to one of the patched versions including 1.29.1, 1.28.1, 1.27.3, or 1.26.7, as no workaround exists for the issue. Organizations should prioritize this upgrade across all Envoy deployments, particularly those operating in IPv6-disabled environments with Proxy protocol enabled. The vulnerability demonstrates the importance of proper protocol handling and OS capability detection in network proxy software, as it highlights how modern proxy implementations must account for varying network stack configurations and address family support across different deployment environments. Security teams should conduct immediate inventory assessments to identify all affected Envoy instances and implement the necessary upgrades to prevent potential exploitation of this crash condition.