CVE-2023-35942 - Critical Vulnerability in Envoy Proxy: gRPC Access Loggers Use-After-Free Crash

Envoy is a popular open source edge and service proxy specifically designed for cloud-native applications. It helps enable secure and reliable communication across multiple microservices. However, several versions of Envoy (prior to 1.27., 1.26.4, 1.25.9, 1.24.10, and 1.23.12) have been found to have a critical vulnerability: the gRPC access loggers can cause a use-after-free crash. This article provides an overview of the vulnerability, explains the potential impact, and describes some mitigation steps.

Details

CVE-2023-35942 is a critical vulnerability affecting Envoy proxy. The vulnerability occurs when gRPC access loggers, using a listener's global scope, can cause a use-after-free crash while the listener is in a drained state. This means that an attacker could potentially exploit this vulnerability to crash the Envoy proxy, causing a denial of service (DoS) attack.

The Envoy team has released updates that address this vulnerability in versions 1.27., 1.26.4, 1.25.9, 1.24.10, and 1.23.12. The fix involves changing the scope of the gRPC access loggers instance.

Exploit Details

A potential way to exploit this vulnerability exists when a malicious actor sends specially crafted gRPC requests to cause the access loggers to reference a freed memory address. This can result in a crash or unexpected behavior.

An example scenario that could lead to unexpected behavior might look like this

// Listener configuration with gRPC access log
access_log:
  - name: envoy.variant_access_log_filter.http_grpc
    config:
      common_config:
        log_name: access_log
        grpc_service:
          envoy_grpc:
            cluster_name: envoy_accesslog_service
      filter:
        status_filter:
          grpc_status:
            not: {}

Users of Envoy proxy should do the following to mitigate the vulnerability

1. Update Envoy proxy to versions 1.27., 1.26.4, 1.25.9, 1.24.10, or 1.23.12, which contain the fix for this vulnerability.
2. If updating is not an option, consider disabling gRPC access logging for listeners by removing the access_log configuration or stop updating the listener.

The following links provide further details on CVE-2023-35942

- Envoy GitHub Repository
- CVE-2023-35942 Details
- Envoy Security Advisory

Conclusion

The CVE-2023-35942 vulnerability in Envoy proxy is a critical issue that could potentially lead to a denial of service attack. It is vital for Envoy users to address this issue by updating their Envoy proxy versions to those with the fix or by implementing the recommended workarounds.

Timeline

Published on: 07/25/2023 19:15:00 UTC
Last modified on: 08/02/2023 18:36:00 UTC