Istio is a service mesh for the enterprise, designed for critical applications in which the control plane must be highly available and fault tolerant. Istio was designed to scale to thousands of nodes and tens of thousands of connections. Istio is different from other solutions in that it is not a single package, but instead a collection of different software components. The control plane for Istio is the Kubernetes validating or mutating webhook. The validating webhook is exposed by default to external applications. There are several ways to expose the validating webhook, such as exposing it on the Internet, using a cloud-init configuration, or using a custom controller. In all of these cases, an attacker can exploit the exposed validating webhook. The invalidating webhook is an internal Kubernetes service that all other components in Istio, including the control plane, can consume. When an invalidating webhook is consumed, it marks a node as unhealthy, and sends an email to a configurable address with details about the node and the reason why it was marked unhealthy. An attacker can consume the invalidating webhook, causing the same process to happen and providing the attacker with a way to mark nodes as healthy and receive email notifications. There are several ways to consume the invalidating webhook, such as exposing it on the Internet, using a cloud-init configuration, or using a custom controller. In all of these cases, an attacker can

Istio is not a single package and must be installed in multiple ways

Istio is not a single package, but instead a suite of different software components. The control plane for Istio is the Kubernetes validating or mutating webhook. The validating webhook is exposed by default to external applications. There are several ways to expose the validating webhook, such as exposing it on the Internet, using a cloud-init configuration, or using a custom controller. In all of these cases, an attacker can exploit the exposed validating webhook and cause Istio to mark nodes as unhealthy and send email notifications about the node.
To install Istio across multiple nodes in an organization's network, you must use different methods of installing Istio. For example, you can install Istio as a Replication Controller (RC) on each node, with each RC consuming its own local invalidating webhook and then binding itself to another local RC in order to replicate data between nodes; or you can install it as one Replication Controller that uses Kubernetes Ingress resources to expose its services over HTTP or HTTPS externally and then consume them internally through the invalidating webhooks.

Istio networking control plane

The networking control plane is the Kubernetes service that manages the availability and health of the pods that are part of a service mesh. The networking control plane is responsible for routing traffic to and from pods, including communication from clients or services that call into Istio, traffic that comes in through a proxy, health checks for all pods, and routing events to other parts of the Istio infrastructure.
A vulnerability was discovered in Istio's networking control plane where an attacker who can access the validating webhook could send invalid traffic through the network control plane. This would cause one or more components to assume they had connectivity when they didn't. This would have several effects:
1) An attacker could force Istio to consume a different validating webhook.
2) An attacker could consume a different invalidating webhook.
3) An attacker could consume both validating and invalidating webhooks at once, causing undesired behavior such as dropping packets or simply injecting abnormal traffic on behalf of another entity.

Istio is a service mesh for the enterprise, designed for critical applications in which the control plane must be highly available and fault tolerant.

Istio was designed to scale to thousands of nodes and tens of thousands of connections. Istio is different from other solutions in that it is not a single package, but instead a collection of different software components. The control plane for Istio is the Kubernetes validating or mutating webhook. The validating webhook is exposed by default to external applications. There are several ways to expose the validating webhook, such as exposing it on the Internet, using a cloud-init configuration, or using a custom controller. In all of these cases, an attacker can exploit the exposed validating webhook. The invalidating webhook is an internal Kubernetes service that all other components in Istio, including the control plane, can consume. When an invalidating webhook is consumed, it marks a node as unhealthy, and sends an email to a configurable address with details about the node and the reason why it was marked unhealthy. An attacker can consume the invalidating webhook, causing the same process to happen and providing the attacker with a way to mark nodes as healthy and receive email notifications. There are several ways to consume the invalidating webhook, such as exposing it on the Internet, using a cloud-init configuration, or using a custom controller. In all of these cases, an attacker could easily exploit this exposure (via consuming WebHook) with

Istio Validating Webhook

This vulnerability impacts Istio’s validating webhook, which is exposed by default to external applications. An attacker can exploit the exposed validating webhook in order to cause a service to become unhealthy and receive email alerts.

Istio Control Plane Security

The control plane of Istio is exposed to the Internet by default, and the invalidating webhook is an internal Kubernetes service that can be consumed internally. The validating webhook is not exposed to the Internet.

Timeline

Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/19/2022 14:24:00 UTC

References