CVE-2022-24726 - Istio Control Plane Vulnerability Leads to Crash and Potential Denial of Service Attacks

Istio is a popular open platform used by many organizations to connect, manage, and secure their microservices. Recently, a vulnerability (CVE-2022-24726) has been discovered within certain versions of Istio, which can lead to the control plane crashing, and ultimately, the possibility of Denial of Service (DoS) attacks.

Vulnerability Overview

The vulnerability affects the Istio control plane, istiod, which is responsible for the management and security of the entire Istio service mesh. When the validating webhook, an essential part of Istio's request handling system, is exposed publicly and a malicious attacker sends a specially crafted message, there's a potential for the control plane to crash causing a disruption in the service mesh.

This issue arises as the endpoint at risk is served over TLS port 15017, which does not require any form of authentication from the attacker. Although in most Istio setups, istiod is reachable only from within the cluster, minimizing the potential impact, the danger becomes more prominent when istiod is deployed following an external istiod topology, which exposes this port over the public internet.

Exploit Details

The vulnerability allows an attacker to crash the Istio control plane by simply sending a specially crafted message to the validating webhook at the exposed port, 15017. No authentication or intricate methods are required for this exploit, making the potential attack surface quite large.

Istio 1.11.7 and earlier

To address this issue, Istio has released patches in the following versions for each respective release branch:

Istio 1.11.8

Users are strongly encouraged to upgrade to these patched versions to minimize the risk of this vulnerability.

Mitigation

For those users who are unable to upgrade to the patched Istio versions, there are alternative mitigation strategies to minimize the risks associated with this vulnerability:

1. Disable access to the validating webhook if it is exposed to the public internet. This action eliminates the attacker's ability to send malicious requests directly to the endpoint.

2. Restrict the set of IP addresses that can query the validating webhook to a known set of trusted entities. By limiting the access to only authorized IP addresses, you can minimize the chances of a malicious attacker exploiting this vulnerability.

Conclusion

The CVE-2022-24726 vulnerability highlights the importance of securing microservices and their connectivity. It is crucial for organizations using Istio, especially with external istiod topologies, to upgrade to the patched versions or apply recommended mitigations to limit the potential damage caused by this vulnerability.

Timeline

Published on: 03/10/2022 21:15:00 UTC
Last modified on: 03/18/2022 20:20:00 UTC