Compliance Impact

The vulnerability causes a denial of service by crashing Envoy when certain host headers are missing in requests, impacting availability.

There is no information provided about any impact on confidentiality or integrity of data, which are typically critical for compliance with standards like GDPR or HIPAA.

Therefore, based on the available information, this vulnerability primarily affects service availability and does not directly indicate non-compliance with data protection regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

This vulnerability occurs in Envoy versions from 1.37.0 until 1.37.5 and 1.38.3 when the log format uses the `%REQUESTED_SERVER_NAME(X:Y)%` variable along with certain host-related options like `HOST_FIRST` or `SNI_FIRST`.

If a request is sent without the required host header, Envoy attempts to access null values in headers such as `x-envoy-original-host` or `:authority`, which leads to a segmentation fault and causes Envoy to crash.

This issue was introduced by a code change that added fallback options for the `%REQUESTED_SERVER_NAME%` variable and is fixed in versions 1.37.5 and 1.38.3.

Useful 0 Not Useful 0

Impact Analysis

An attacker can exploit this vulnerability by sending specially crafted requests that lack the host header, causing Envoy to crash.

This results in a denial of service (DoS) condition, impacting the availability of the service or application relying on Envoy as a proxy.

No privileges or user interaction are required to exploit this vulnerability, making it easier for attackers to cause disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring Envoy logs and network traffic for requests that lack the host header, especially when the log format uses the `%REQUESTED_SERVER_NAME(X:Y)%` variable with host-related options like `HOST_FIRST` or `SNI_FIRST`.

To detect potential exploitation attempts, you can capture and analyze HTTP requests missing the host header or the `:authority` header, which may cause Envoy to crash.

• Use packet capture tools like tcpdump or Wireshark to filter HTTP requests missing the Host header: `tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i -B 5 -A 5 'Host:'` and look for requests without this header.
• Check Envoy logs for crashes or segmentation faults related to the `%REQUESTED_SERVER_NAME%` variable usage.
• If you have access to Envoy's admin interface or metrics, monitor for increased crash counts or restarts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Envoy to a fixed version, specifically version 1.37.5 or 1.38.3 or later, where this vulnerability has been addressed.

Until the upgrade can be performed, consider implementing network-level filters or firewall rules to block or limit requests that do not include the host header, reducing the risk of triggering the crash.

Additionally, review and adjust your Envoy log format configuration to avoid using `%REQUESTED_SERVER_NAME(X:Y)%` with host-related options like `HOST_FIRST` or `SNI_FIRST` if possible.

Useful 0 Not Useful 0