Описание
Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
An unauthorized access vulnerability was found in Istio in the servicemesh-proxy. An attacker can use this flaw to specify an HTTP path and gain unauthorized access, even if the path is configured to only be accessed with a valid JSON Web Token (JWT).
Меры по смягчению последствий
Depending on the paths used in the exact match clause, it is possible to update the path to a regex. As provided by the Istio Product Committee, the following mitigation can be employed. The original policy specifying a JWT protected path is as follows:
apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "jwt-example" namespace: istio-system spec: targets:
- name: istio-ingressgateway origins:
- jwt: issuer: "testing@secure.istio.io" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json" trigger_rules:
- included_paths:
- exact: /productpage The exact path definition can then be updated to a regular expression:
- jwt: issuer: "testing@secure.istio.io" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json" trigger_rules:
- included_paths:
- regex: '/productpage(?.*)?'
- regex: '/productpage(#.*)?'
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
Istio 1.3 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
Уязвимость сетевого программного средства Istio, связанная с ошибками аутентификации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
7.3 High
CVSS3