Executive Summary

This vulnerability exists in the OAuth2 HTTP filter of Envoy Proxy versions 1.35 to 1.38. It arises because the encrypt() and decrypt() functions use AES-256-CBC encryption without any authentication mechanism such as HMAC or AEAD. The /callback endpoint responds differently depending on whether decryption succeeds or fails (HTTP 302 on success, HTTP 401 on padding failure), which creates a padding oracle.

An attacker who intercepts the encrypted CodeVerifier cookie can exploit this padding oracle by sending about 6,200 crafted requests to decrypt the cookie and recover the plaintext PKCE code_verifier. With this code_verifier and a stolen authorization code, the attacker can obtain the victim's access token.

The vulnerability is fixed in Envoy versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 by replacing AES-256-CBC with AES-256-GCM (which provides authenticated encryption) and by ensuring uniform error responses to prevent information leakage.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to decrypt sensitive cookies (CodeVerifier) used in OAuth2 authentication flows. By recovering the plaintext PKCE code_verifier and combining it with a stolen authorization code, the attacker can obtain the victim's access token.

With the victim's access token, the attacker can impersonate the victim and gain unauthorized access to protected resources or services, potentially leading to data breaches or unauthorized actions within the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the /callback endpoint of the Envoy OAuth2 HTTP filter for differing HTTP status codes in response to encrypted CodeVerifier cookie requests. Specifically, the endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, which indicates the presence of the padding oracle.

To detect exploitation attempts, you can look for unusual patterns of approximately 6,200 requests targeting the /callback endpoint with varying encrypted cookies.

While no specific commands are provided in the resources, network monitoring tools like tcpdump or Wireshark can be used to capture traffic to the /callback endpoint. Additionally, web server logs can be analyzed for repeated 302 and 401 responses from this endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Envoy Proxy to one of the fixed versions: 1.35.11, 1.36.7, 1.37.3, or 1.38.1, where the vulnerability has been addressed.

The fix involves replacing the AES-256-CBC encryption with AES-256-GCM, which provides authenticated encryption, and ensuring that the /callback endpoint returns uniform error responses to prevent information leakage.

Until the upgrade can be applied, monitor and restrict access to the /callback endpoint to reduce the risk of exploitation.

Useful 0 Not Useful 0