CVE-2023-35943 - Envoy CORS Filter Segfault Vulnerability Exploited When `origin` Header is Removed

Envoy is a popular open-source edge and service proxy created specifically for cloud-native applications. This high-performance proxy, developed by the incredible folks at Lyft, empowers developers in maintaining a reliable and scalable network architecture. However, recent findings uncovered a vulnerability (CVE-2023-35943) present in various Envoy versions before 1.27., 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Vulnerability Details

The vulnerability CVE-2023-35943 pertains to the CORS (Cross-Origin Resource Sharing) filter in Envoy. When the origin header is removed and deleted between decodeHeaders and encodeHeaders, the CORS filter will segfault and crash Envoy, resulting in a potential Denial of Service (DoS) attack against any applications relying on Envoy. The impact of this vulnerability is considered critical since it can cause outages of entire applications.

Here's a code snippet that demonstrates the vulnerability

http_filters:
- name: envoy.filters.http.lua
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
    inline_code: |
      function envoy_on_request(request_handle)
        request_handle:headers():remove("origin")
      end
- name: envoy.filters.http.cors
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors

In this example, the Lua filter removes the origin header, and the following CORS filter triggers the vulnerability when the headers are being processed.

References

- Original announcement: https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history#version-history
- Envoy GitHub repository: https://github.com/envoyproxy/envoy
- Envoy documentation: https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy
- CVE-2023-35943 details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35943
- NIST NVD CVE-2023-35943: https://nvd.nist.gov/vuln/detail/CVE-2023-35943

Workaround

To mitigate the risk posed by this vulnerability, it is highly recommended to upgrade to the latest Envoy version that includes the fix. However, if upgrading immediately isn't practical, a temporary workaround is to avoid removing the origin header in the Envoy configuration.

Conclusion

The CVE-2023-35943 vulnerability presents a significant risk to organizations and developers utilizing Envoy versions prior to 1.27., 1.26.4, 1.25.9, 1.24.10, and 1.23.12. It is crucial to take necessary measures, such as upgrading Envoy or applying the workaround by leaving the origin header intact to prevent potential service disruptions resulting from this vulnerability. As always, stay vigilant and ensure you are using the latest and most secure software versions for your applications.

Timeline

Published on: 07/25/2023 19:15:00 UTC
Last modified on: 08/02/2023 18:47:00 UTC