// For flags

CVE-2022-21657

X.509 Extended Key Usage and Trust Purposes bypass in Envoy

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.

Envoy es un proxy de borde y servicio de código abierto, diseñado para aplicaciones nativas de la nube. En las versiones afectadas, Envoy no restringe el conjunto de certificados que acepta del par, ya sea como cliente TLS o como servidor TLS, a sólo aquellos certificados que contienen el extendedKeyUsage necesario (id-kp-serverAuth e id-kp-clientAuth, respectivamente). Esto significa que un par puede presentar un certificado de correo electrónico (por ejemplo, id-kp-emailProtection), ya sea como certificado de hoja o como CA en la cadena, y será aceptado para TLS. Esto es particularmente malo cuando es combinado con el problema descrito en la petición #630, en el sentido de que permite que una CA de PKI de la Web que está destinada sólo a ser usada con S/MIME, y por lo tanto exenta de auditoría o supervisión, emita certificados TLS que serán aceptados por Envoy. En consecuencia, Envoy confiará en certificados de origen que no deberían ser confiables. No se conocen medidas de mitigación a este problema. Es recomendado a usuarios actualizar

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2022-02-22 CVE Published
  • 2023-09-15 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
< 1.18.6
Search vendor "Envoyproxy" for product "Envoy" and version " < 1.18.6"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.19.0 < 1.19.3
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.19.0 < 1.19.3"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.20.0 < 1.20.2
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.20.0 < 1.20.2"
-
Affected