Skip to content

Crash when a large request body is processed in Lua filter

Moderate
phlax published GHSA-wpc2-2jp6-ppg2 Apr 4, 2023

Package

Envoy (Envoy)

Affected versions

< 1.26.0

Patched versions

1.25.3, 1.24.4, 1.23.6, 1.22.9

Description

Impact

Denial of service (crash).

Affected components

Lua filter.

Attack vector/s

Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

Description

The Lua filter can resume processing of the coroutine after we've sent a local reply due to request/response body being too large. This mitigation prevents coroutine invocation if we’re doing a local reply.

Example exploit or proof-of-concept

1 Configure a route that has Lua filter enabled.
2 Send a request with a large body that is beyond the buffer limit.
3 Have the Lua script request the request body, this will cause us to buffer the entire request body.
4 The request body buffering can go over the limit here: https://sourcegraph.com/github.com/envoyproxy/envoy@991cde892ff88b7aca04adb7fc44e14f6c0ee0fe/-/blob/source/extensions/filters/http/lua/lua_filter.cc?L263&subtree=true#tab=references and send the local reply, but the Lua filter is oblivious and continues the coroutine.
5 The Lua script kicks off a HTTP request that points to the Lua filter.
6 The Lua filter is destroyed as Envoy has completed the local reply and destroyed the related objects.
7 The HTTP request that the Lua script kicked off in step 5 has a response, and calls the Lua filter. The filter will already be destroyed, so Envoy will segfault.

Detection

Given enough traffic of this type, Envoy would be crashing especially when the body buffered is larger.

Mitigation

For versions updated with the patch, we no longer invoke the Lua coroutine if the filter has been reset.

For older unpatched versions you can mitigate by:
If your Lua filter is buffering all requests/ responses you can guard by using the buffer filter to avoid triggering the local reply in the Lua filter.

Discoverer/credit

Dan Tulovsky [email protected]

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-27492

Weaknesses

No CWEs

Credits