CVE-2021-39155

Authorization Policy Bypass Due to Case Insensitive Host Comparison

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.

Istio es una plataforma de código abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tráfico entre microservicios, aplicar políticas y agregar datos de telemetría. Según [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), la política de autorización de Istio debería comparar el nombre de host en el encabezado HTTP Host de forma no sensible a mayúsculas y minúsculas, pero actualmente la comparación es sensible a mayúsculas y minúsculas. El proxy enrutará el nombre de host de la petición de forma no sensible a mayúsculas y minúsculas, lo que significa que la política de autorización podría ser omitida. Por ejemplo, el usuario puede tener una política de autorización que rechace peticiones con el nombre de host "httpbin.foo" para algunas IPs de origen, pero el atacante puede omitir esto mediante el envío de la petición con el nombre de host "Httpbin.Foo". Los parches están disponibles en Istio versión 1.11.1, Istio versión 1.10.4 e Istio versión 1.9.8. Como solución, puede escribirse un filtro Lua para normalizar el encabezado Host antes de la comprobación de la autorización. Esto es similar a la normalización de la Ruta presentada en la guía [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization).

An authorization bypass vulnerability was found in istio/istio. The case insensitive host comparison incorrectly works when evaluating rules specified with `host` or `notHost`. This flaw allows an attacker to bypass an Istio authorization policy that uses hosts in the rules, potentially gaining access to the downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-16 CVE Reserved
2021-08-24 CVE Published
2024-05-09 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-178: Improper Handling of Case Sensitivity
CWE-863: Incorrect Authorization

CAPEC

References (4)

URL	Tag	Source
https://datatracker.ietf.org/doc/html/rfc4343	Third Party Advisory
https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-39155	2021-08-25
https://bugzilla.redhat.com/show_bug.cgi?id=1996929	2021-08-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Istio Search vendor "Istio"		Istio Search vendor "Istio" for product "Istio"				< 1.9.8 Search vendor "Istio" for product "Istio" and version " < 1.9.8"		-		Affected
Istio Search vendor "Istio"		Istio Search vendor "Istio" for product "Istio"				>= 1.10.0 < 1.10.4 Search vendor "Istio" for product "Istio" and version " >= 1.10.0 < 1.10.4"		-		Affected
Istio Search vendor "Istio"		Istio Search vendor "Istio" for product "Istio"				>= 1.11.0 < 1.11.1 Search vendor "Istio" for product "Istio" and version " >= 1.11.0 < 1.11.1"		-		Affected