Introduction
Envoy, a popular cloud-native high-performance edge/middle/service proxy, has been found to have a critical vulnerability in its HTTP/2 codec. The vulnerability is designated as CVE-2023-35945 and could potentially lead to denial of service attacks through memory exhaustion. The security flaw arises due to a leak in the header map and bookkeeping structures when a malicious actor sends a RST_STREAM immediately followed by a GOAWAY frame from an upstream server.
In this long-read post, we'll investigate the exploit details, provide links to original references and showcase the patch that resolves the issue for versions 1.26.3, 1.25.8, 1.24.9, and 1.23.11.
Code Snippet: The Vulnerability in Action
The vulnerability in Envoy's HTTP/2 codec occurs because the clean-up code for nghttp2's pending requests is skipped during the de-allocation process as a result of receiving the GOAWAY frame. The error return code path is taken if the connection has already been marked due to the GOAWAY frame, causing a memory leak.
Here's a simplified code snippet to demonstrate the issue
void on_goaway_received() {
// If the connection is marked as not sending more requests due to GOAWAY
if (connection_marked_for_goaway) {
// Return without cleaning up the memory
return;
}
// Clean up the memory
free_compressed_header();
free_bookkeeping_structure();
}
Exploit Details
The attacker can trigger this vulnerability by sending two consecutive frames: first the RST_STREAM frame, which aborts a particular HTTP/2 stream, followed by the GOAWAY frame, which tells the recipient to stop creating new streams on the connection. When these frames are sent in immediate succession, the previously described memory leak occurs, potentially leading to memory exhaustion and a denial of service attack on susceptible Envoy instances.
For comprehensive information, please refer to the following links
1. Envoy CVE-List Documentation
2. nghttp2 Library GitHub Repository
3. Envoy Proxy GitHub Repository
Patched Versions and Resolution
Fortunately, the Envoy team has resolved this vulnerability in the following versions of the software:
1.23.11
To protect against the exploit, it is strongly recommended to update Envoy to one of the patched versions. The following code change showcases the patch as applied to the previous code snippet:
void on_goaway_received() {
// If the connection is marked as not sending more requests due to GOAWAY
if (connection_marked_for_goaway) {
// Clean up the memory before returning
free_compressed_header();
free_bookkeeping_structure();
// Return
return;
}
// Clean up the memory
free_compressed_header();
free_bookkeeping_structure();
}
Conclusion
CVE-2023-35945 serves as a critical reminder of the importance of keeping software up-to-date, especially when it comes to cloud-native applications and services like Envoy proxy. By staying informed and applying patches promptly, you can protect your infrastructure from potentially severe security vulnerabilities and the consequences they may entail.
Timeline
Published on: 07/13/2023 21:15:00 UTC
Last modified on: 07/25/2023 18:36:00 UTC