Bug 1861625 (CVE-2020-16844)

Summary: CVE-2020-16844 istio: incorrect translation of DENY policy for TCP service
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: askrabec, kconner, rcernich, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: istio 1.5.9, istio 1.6.8 Doc Type: If docs needed, set a value
Doc Text:
An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-11 21:15:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1861624    

Description Mark Cooper 2020-07-29 04:50:20 UTC 
It has been discovered that Istio through 1.5.8 and 1.6.5, contains an insecure access control vulnerability. When an AuthorizationPolicy is created for a TCP service which includes a DENY rule with a prefix wildcard, Istio translates this to an Envoy match string incorrectly dropping the wildcard. Hence a matching caller will not be denied as the string will not match as intended. 

This only affects DENY policies for TCP services using prefix matching. HTTP, prefix and exact matching are unaffected.
Comment 1 Mark Cooper 2020-07-29 04:50:23 UTC 
Acknowledgments:

Name: the Envoy Security Team
Comment 9 errata-xmlrpc 2020-08-11 20:53:49 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:3425 https://access.redhat.com/errata/RHSA-2020:3425
Comment 10 Product Security DevOps Team 2020-08-11 21:15:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16844
Comment 12 Mark Cooper 2020-08-11 22:23:43 UTC 
External References:

https://istio.io/latest/news/security/istio-security-2020-009/
Comment 14 Mark Cooper 2020-08-11 23:26:46 UTC 
Mitigation:

In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as:
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    ...
   spec: 
     action: DENY
     rules:
     - from:
       - source:
           principals:
           - */ns/servicemesh

Consider using an exact or suffix match instead such as:
    - /foo/bar/ns/servicemesh