#VU86324 Improper Authentication in envoy - CVE-2024-23324

Cybersecurity Help s.r.o.

Published: 2024-02-12

Vulnerability identifier: #VU86324

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-23324

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
envoy
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Cloud Native Computing Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an authentication bypass when proxy protocol filter sets invalid UTF-8 metadata. A remote attacker can bypass external authentication by downstream connections that use PROXY protocol.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

envoy: 1.0.0, 1.1.0 - 1.19.5, 1.2.0 - 1.29.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0 - 1.7.1, 1.8.0, 1.9.0 - 1.9.1

External links
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6
https://github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for HashiCorp Consul

Amazon Linux AMI update for ecs-service-connect-agent

Multiple vulnerabilities in HashiCorp Consul

Multiple vulnerabilities in Istio

Multiple vulnerabilities in Envoy