Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwaDYtcXE1eC03andj

ExternalName Services can be used to gain access to Envoy's admin interface

Impact

Josh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it cannot be used to get the content of those secrets.

Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above.

Patches

The issue will be addressed in the forthcoming Contour v1.18.0 and a patch release, v1.17.1, has been released in the meantime.

It is addressed in two ways:

Disable ExternalName type Services by default

This change prohibits processing of ExternalName services unless the cluster operator specifically allows them using the new --enable-externalname flag or equivalent configuration file setting. This is a breaking change for previous versions of Contour, which is unfortunate, but necessary because of the severity of the information exposed in this advisory.

Block obvious localhost entries for enabled ExternalName Services

As part of this change set, we have added a filter in the event that operators do enable ExternalName Services, such that obvious localhost entries are rejected by Contour.

There are a number of problems with this method, however:

Workarounds

Not easily. It's not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas.

For more information

Exploit code will be published at a later date for this vulnerability, once our users have had a chance to upgrade.

Permalink: https://github.com/advisories/GHSA-5ph6-qq5x-7jwc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwaDYtcXE1eC03andj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 8.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H

Identifiers: GHSA-5ph6-qq5x-7jwc, CVE-2021-32783
References: Repository: https://github.com/projectcontour/contour
Blast Radius: 15.5

Affected Packages

go:github.com/projectcontour/contour
Dependent packages: 45
Dependent repositories: 67
Downloads:
Affected Version Ranges: = 1.17.0, = 1.16.0, >= 1.15.0, < 1.15.2, < 1.14.2
Fixed in: 1.17.1, 1.16.1, 1.15.2, 1.14.2
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.13.0, 1.13.1, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.16.0, 1.17.0
All unaffected versions: 1.14.2, 1.15.2, 1.16.1, 1.17.1, 1.17.2, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.22.6, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.23.6, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.28.3