Vulnerability type
CWE-834: Excessive Iteration
Attack type
Remote
Impact
Denial of Service
Affected component(s)
Listener filters
Attack vector(s)
An attacker can create a TCP connection to listeners configured with continue_on_listener_filters_timeout true, wait for Envoy hitting the listener timeout and burn 1 core for the worker thread.
Discoverer(s)/Credits
Yuchen Dai, Google
References
Initial GitHub Issue: istio/istio#18229
Description (brief; included in CVE)
Upon serving idle TCP connection, Envoy with certain listener filter configs will end up watching writable event with level trigger. If the corresponding network filter chain, such as the most common HttpConnManager will put worker thread in the infinite busy loop. A remote attacker only need to maintain 1 idle connection to consume up to 1 CPU core at Envoy server.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High)
Description (full; not included in CVE but will be published on GitHub later and linked)
Envoy may register two set of interested socket events when going through listener filter chain and network filter chain. In the above scenario envoy would trap into the situation that be interests in WriteEvent with LevelTrigger but no data to write. Envoy would consume excessive cpu at endless immediate returning syscalls.
Proof-of-Concept Exploit:
Run envoy config with tls_inspector, listenerFiltersTimeout, continueOnListenerFiltersTimeout, and a match all http_connection_manager
Run nc <envoy_address> <envoy_port>, and keep the connection idle no shorter than listenerFiltersTimeout
Mitigation
Set continueOnListenerFiltersTimeout to false.
Detection
Excessive cpu consumption on certain worker thread
Significant high %CPU sys
strace -c -f -p $<envoy_pid> has very high number of fast return epoll_wait calls.
Vulnerability type
CWE-834: Excessive Iteration
Attack type
Remote
Impact
Denial of Service
Affected component(s)
Listener filters
Attack vector(s)
An attacker can create a TCP connection to listeners configured with
continue_on_listener_filters_timeouttrue, wait for Envoy hitting the listener timeout and burn 1 core for the worker thread.Discoverer(s)/Credits
Yuchen Dai, Google
References
Initial GitHub Issue: istio/istio#18229
Description (brief; included in CVE)
Upon serving idle TCP connection, Envoy with certain listener filter configs will end up watching writable event with level trigger. If the corresponding network filter chain, such as the most common HttpConnManager will put worker thread in the infinite busy loop. A remote attacker only need to maintain 1 idle connection to consume up to 1 CPU core at Envoy server.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High)
Description (full; not included in CVE but will be published on GitHub later and linked)
Envoy may register two set of interested socket events when going through listener filter chain and network filter chain. In the above scenario envoy would trap into the situation that be interests in WriteEvent with LevelTrigger but no data to write. Envoy would consume excessive cpu at endless immediate returning syscalls.
Proof-of-Concept Exploit:
Run envoy config with
tls_inspector,listenerFiltersTimeout,continueOnListenerFiltersTimeout, and a match allhttp_connection_managerRun
nc <envoy_address> <envoy_port>, and keep the connection idle no shorter thanlistenerFiltersTimeoutMitigation
Set continueOnListenerFiltersTimeout to false.
Detection
Excessive cpu consumption on certain worker thread
Significant high %CPU sys
strace -c -f -p $<envoy_pid>has very high number of fast return epoll_wait calls.