Skip to content

Incorrect Access Control when using SDS with Combined Validation Context

Moderate
lizan published GHSA-3x9m-pgmg-xpx8 Mar 3, 2020

Package

Envoy

Affected versions

< 1.13.0

Patched versions

1.13.1, 1.12.3

Description

Vulnerability type

Incorrect Access Control

Attack type

Impersonation

Impact

Escalation of Privileges
Unauthorized access to service, service spoofing

Discoverer(s)/Credits

Andon Andonov (Microsoft)
Ryan Michela (Salesforce)
Scott Beardsley (Pinterest)
Jasper Misset (Visma Connect)

Description (full; not included in CVE but will be published on GitHub later and linked)

For the SDS TLS validation context in Envoy version 1.13.0 and earlier, the update callback was called only when the secret was received for the first time or when its value changed. This meant that if the same secret (e.g. trusted CA) was used in multiple resources, then resources using it but configured after the secret was already received, remained unconfigured until the secret's value changed. The missing callback should have resulted in transport factories stuck in the "not ready" state, however, because of an incorrect code, the available secret was processed like inlined validation context, and only rules from the dynamic ("secret") part of the validation context were applied, leading to a complete bypass of rules from the static ("default") part.

Severity

Moderate

CVE ID

CVE-2020-8664

Weaknesses

No CWEs