CVE-2023-35941 Explained : Impact and Mitigation
Learn about CVE-2023-35941, a high-severity vulnerability in Envoy impacting versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12. Understand the impact, technical details, and mitigation steps.
A high-severity vulnerability in Envoy has been identified that allows a malicious client to exploit OAuth2 credentials with permanent validity, affecting versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Understanding CVE-2023-35941
Envoy is an open-source edge and service proxy specifically designed for cloud-native applications. The vulnerability allows for the construction of credentials with permanent validity in certain scenarios.
What is CVE-2023-35941?
Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client can craft credentials with permanent validity due to rare scenarios in which HMAC payload remains constantly valid in the OAuth2 filter's check.
The Impact of CVE-2023-35941
This vulnerability poses a high risk as it could lead to unauthorized access and compromise of sensitive data, particularly impacting confidentiality.
Technical Details of CVE-2023-35941
The vulnerability description, affected systems and versions, and the exploitation mechanism are detailed below.
Vulnerability Description
The vulnerability allows a malicious client to create credentials with permanent validity due to specific scenarios in HMAC payload validation.
Affected Systems and Versions
Versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 of Envoy are affected. Versions after these releases include a fix for this issue.
Exploitation Mechanism
A malicious client can take advantage of the OAuth2 filter's validation check to construct credentials with permanent validity under specific scenarios.
Mitigation and Prevention
Understanding the immediate steps to take and the long-term security practices is crucial to safeguard against CVE-2023-35941.
Immediate Steps to Take
To mitigate the risk, it is recommended to avoid wildcards or prefix domain wildcards in the host's domain configuration.
Long-Term Security Practices
Implementing a robust security strategy, regular security audits, and staying updated with patches and updates are critical for long-term protection.
Patching and Updates
Ensuring that Envoy is updated to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12 and above is essential to address and eliminate the vulnerability.