CVE-2023-35944
📋 TL;DR
This vulnerability in Envoy proxy allows attackers to bypass security controls by using mixed-case HTTP/HTTPS schemes (like 'htTp' or 'htTps') in HTTP/2 requests. It affects Envoy deployments handling HTTP/2 traffic, potentially allowing unauthorized access or bypassing encryption requirements. Organizations using affected Envoy versions as edge proxies or service meshes are at risk.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass TLS encryption requirements and access sensitive data via unencrypted connections while appearing to use HTTPS, or cause denial of service by getting legitimate requests rejected.
Likely Case
Mixed-case scheme requests get improperly rejected causing service disruption, or attackers bypass scheme-based security controls in specific configurations.
If Mitigated
With proper network segmentation and defense-in-depth, impact is limited to potential service disruption from rejected requests.
🎯 Exploit Status
Exploitation requires sending crafted HTTP/2 requests with mixed-case schemes. No authentication needed if Envoy is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g
Restart Required: Yes
Instructions:
1. Identify Envoy version currently deployed. 2. Upgrade to patched version (1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12). 3. Restart Envoy service. 4. Verify fix by testing with mixed-case scheme requests.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this issue.
🧯 If You Can't Patch
- Implement network controls to restrict access to Envoy instances, especially from untrusted networks.
- Monitor logs for HTTP/2 requests with mixed-case schemes and implement WAF rules to block such patterns.
🔍 How to Verify
Check if Vulnerable:
Check Envoy version: envoy --version. If version is earlier than 1.27.0, 1.26.4, 1.25.9, 1.24.10, or 1.23.12, system is vulnerable.Check Version:
envoy --versionVerify Fix Applied:
After patching, send test HTTP/2 requests with mixed-case schemes (htTp://example.com). Requests should be properly handled or rejected consistently.📡 Detection & Monitoring
Log Indicators:
- HTTP/2 requests with mixed-case schemes (htTp, htTps)
- Unexpected request rejections or security bypass events
Network Indicators:
- HTTP/2 traffic with unusual scheme capitalization patterns
SIEM Query:
source="envoy" AND (http_scheme="*[A-Z]*" OR http_scheme="*[a-z][A-Z]*")