CVE-2020-15104

TLS Validation Vulnerability in Envoy

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.

En Envoy versiones anteriores a 1.12.6, 1.13.4, 1.14.4 y 1.15.0, cuando se comprueban los certificados TLS, Envoy permitiría incorrectamente aplicar un DNS Subject Alternative Name comodín a múltiples subdominios. Por ejemplo, con una SAN de *.example.com, Envoy permitiría incorrectamente el nested.subdomain.example.com, cuando solo debería permitir el subdomain.example.com. Este fallo aplica para ambos comprobaciones de un certificado TLS del cliente en mTLS y a la comprobación de un certificado TLS del servidor para conexiones anteriores. Esta vulnerabilidad solo es aplicable a situaciones en las que una entidad no confiable puede obtener un certificado TLS comodín firmado para un dominio en el que solo desea confiar en un subdominio. Por ejemplo, si tiene la intención de confiar en api.mysubdomain.example.com, y un actor no confiable puede obtener un certificado TLS firmado para *.example.com o *.com. Las configuraciones son vulnerables si usan verify_subject_alt_name en cualquier versión de Envoy, o si usan match_subject_alt_names en la versión 1.14 o posteriores. Este problema ha sido corregido en las versiones de Envoy 1.12.6, 1.13.4, 1.14.4, 1.15.0

An improper certificate validation vulnerability was found in envoyproxy/envoy, when externally created certificates with wildcards in the DNS Subject Alternative Name are used. This flaw allows an attacker to subvert the envoy filter or destination rules to access restricted resources. The highest threat from this vulnerability is to confidentiality.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-07-14 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-297: Improper Validation of Certificate with Host Mismatch
CWE-346: Origin Validation Error

CAPEC

References (3)

URL	Tag	Source
https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5f5-6qhq-hhrg	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-15104	2020-07-22
https://bugzilla.redhat.com/show_bug.cgi?id=1856232	2020-07-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				< 1.12.6 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.12.6"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.13.0 < 1.13.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.13.0 < 1.13.4"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.14.0 < 1.14.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.14.0 < 1.14.4"		-		Affected