A severe authentication bypass vulnerability discovered by Aspen Mesh in the open source Istio service mesh software has been remedied, and users are urged to update their working deployments as soon as possible.
Aspen Mesh software engineer Ryan Sutton first noticed the issue while working on some authentication features for the company’s commercial service mesh package built on Istio. He brought it to the attention of Aspen Mesh engineering lead and architect, Neeraj Poddar, who developed the fix and alerted the Istio development community.
The vulnerability, CVE-2020-8595, found in Istio’s authentication policy, allows unauthorized access to HTTP paths without presenting a valid JSON Web Token (JWT). An attacker could gain entry to a secured path simply by appending an “?” or “#” onto the path.
If left unpatched, an attacker could use this vulnerability to access protected resources. For instance, an organization using Istio to enforce authorization at the ingress point of a database — so applications don’t have to do it themselves — would be vulnerable, Poddar said.
Time to Repair
Istio has a set of “early disclosure” procedures in place in which the major stakeholders are alerted to the vulnerability before it goes public. Anytime a major vulnerability is found, vendors participating in the Istio development process are given a two-week notice before the fix is issued publicly. Overall, it took about two weeks to get Istio major stakeholders to sign off on Aspen Mesh’s fix before it could be submitted as a pull request, whereupon the two-week early disclosure period kicked in.
While the system is effective, it would be nice to shorten the time from discovery to disclosure down to two weeks or less, Poddar suggested. He admitted this is a challenge with so many major stakeholders, which in Istio’s case includes Google, IBM/Red Hat, VMware and many others. “For something like this, I want my customers to be patched as quickly as possible,” Poddar said.
Istio versions 1.3 to 1.3.7, and 1.4 to 1.4.3, are affected. The flaw scored a 9.0 out of 10 on the Common Vulnerability Scoring System (CVSS).
Because this vulnerability resides in Istio’s Envoy filter, the cluster’s local proxy image can also be checked, by way of a script developed by aspen Mesh and Google, to see if the proxy image is vulnerable.
Aspen Mesh offers an enterprise grade-service mesh built on Istio that also includes a role-based API-driven policy framework as well as a customized user interface and expert support.
Aspen Mesh is a sponsor of The New Stack.