CVE-2024-32475

Envoy RELEASE_ASSERT using auto_sni with :authority header > 255 bytes

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.

Envoy es un proxy de servicio y borde de código abierto, nativo de la nube. Cuando se utiliza un clúster TLS ascendente con `auto_sni` habilitado, una solicitud que contiene un encabezado `host`/`:authority` de más de 255 caracteres desencadena una terminación anormal del proceso de Envoy. Envoy no maneja correctamente un error al configurar SNI para la conexión TLS saliente. El error puede ocurrir cuando Envoy intenta usar el valor del encabezado `host`/`:authority` de más de 255 caracteres como SNI para la conexión TLS saliente. La longitud del SNI está limitada a 255 caracteres según el estándar. Envoy siempre espera que esta operación tenga éxito y aborta el proceso de forma anormal cuando falla. Esta vulnerabilidad se solucionó en 1.30.1, 1.29.4, 1.28.3 y 1.27.5.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-12 CVE Reserved
2024-04-18 CVE Published
2024-04-19 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-253: Incorrect Check of Function Return Value
CWE-617: Reachable Assertion

CAPEC

References (2)

URL	Tag	Source
https://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382	X_refsource_misc
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.30.0 < 11.30.1 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.30.0 < 11.30.1"		en		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.29.0 < 1.29.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.29.0 < 1.29.4"		en		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.28.0 < 1.28.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.28.0 < 1.28.3"		en		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.13.0 < 1.27.5 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.13.0 < 1.27.5"		en		Affected