1861625 – (CVE-2020-16844) CVE-2020-16844 istio: incorrect translation of DENY policy for TCP service

Bug 1861625 (CVE-2020-16844) - CVE-2020-16844 istio: incorrect translation of DENY policy for TCP service

Summary: CVE-2020-16844 istio: incorrect translation of DENY policy for TCP service

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-16844
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1861624
TreeView+	depends on / blocked

Reported:	2020-07-29 04:50 UTC by Mark Cooper
Modified:	2021-09-22 14:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:	istio 1.5.9, istio 1.6.8
Doc Type:	If docs needed, set a value
Doc Text:	An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
Clone Of:
Environment:
Last Closed:	2020-08-11 21:15:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3425	0	None	None	None	2020-08-11 20:53:52 UTC

Description Mark Cooper 2020-07-29 04:50:20 UTC

It has been discovered that Istio through 1.5.8 and 1.6.5, contains an insecure access control vulnerability. When an AuthorizationPolicy is created for a TCP service which includes a DENY rule with a prefix wildcard, Istio translates this to an Envoy match string incorrectly dropping the wildcard. Hence a matching caller will not be denied as the string will not match as intended. 

This only affects DENY policies for TCP services using prefix matching. HTTP, prefix and exact matching are unaffected.

Comment 1 Mark Cooper 2020-07-29 04:50:23 UTC

Acknowledgments:

Name: the Envoy Security Team

Comment 9 errata-xmlrpc 2020-08-11 20:53:49 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:3425 https://access.redhat.com/errata/RHSA-2020:3425

Comment 10 Product Security DevOps Team 2020-08-11 21:15:58 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16844

Comment 12 Mark Cooper 2020-08-11 22:23:43 UTC

External References:

https://istio.io/latest/news/security/istio-security-2020-009/

Comment 14 Mark Cooper 2020-08-11 23:26:46 UTC

Mitigation:

In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as:
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    ...
   spec: 
     action: DENY
     rules:
     - from:
       - source:
           principals:
           - */ns/servicemesh

Consider using an exact or suffix match instead such as:
    - /foo/bar/ns/servicemesh

Note You need to log in before you can comment on or make changes to this bug.