CVE-2023-35941
📋 TL;DR
This CVE allows a malicious client to create OAuth2 credentials with permanent validity in Envoy proxy's OAuth2 filter under specific scenarios. It affects Envoy deployments using OAuth2 authentication with certain domain wildcard configurations. The vulnerability enables authentication bypass for unauthorized access to protected resources.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to all protected services behind Envoy, potentially leading to data exfiltration, privilege escalation, or service compromise.
Likely Case
Unauthorized access to specific protected endpoints or services that rely on OAuth2 authentication through Envoy.
If Mitigated
Limited impact with proper network segmentation and additional authentication layers, though OAuth2 protection would be compromised.
🎯 Exploit Status
Exploitation requires specific OAuth2 configuration scenarios with domain wildcards. No public exploit code identified at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55
Restart Required: Yes
Instructions:
1. Identify Envoy version currently deployed. 2. Upgrade to patched version: 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12. 3. Restart Envoy service. 4. Verify fix with version check and test OAuth2 functionality.
🔧 Temporary Workarounds
Avoid domain wildcards in OAuth2 configuration
allRemove wildcards and prefix domain wildcards from host domain configuration in OAuth2 filter settings.
# Edit Envoy configuration YAML
# Remove lines containing:
# - domains:
# - "*.example.com"
# - "prefix-*.example.com"
# Replace with specific domain names
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Envoy OAuth2 endpoints
- Add additional authentication layers (API gateway, WAF) in front of vulnerable Envoy instances
🔍 How to Verify
Check if Vulnerable:
Check Envoy version and OAuth2 configuration for domain wildcards. Vulnerable if version < 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12 AND using OAuth2 filter with wildcard domains.Check Version:
envoy --versionVerify Fix Applied:
Confirm Envoy version is 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12 or newer, and test OAuth2 authentication with previously vulnerable configurations.📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth2 token validation patterns
- Authentication successes from unexpected sources
- Multiple authentication attempts with malformed credentials
Network Indicators:
- Unusual traffic patterns to OAuth2 endpoints
- Authentication bypass attempts
SIEM Query:
source="envoy" AND ("oauth2" OR "authentication") AND (status="200" OR "success") FROM unexpected_ips