Summary

The ALTS transport socket extension enables Envoys running on GCP to establish ALTS connections. If a client attempts to simultaneously establish more than 2 ALTS connections to the Envoy, the Envoy will hang (becoming unusable) and/or crash.

Severity

Moderate - If there are any users of the ALTS transport socket extension in Envoy, then this bug poses a critical risk to these users because any peer can crash the Envoy after establishing a handful of TCP connections to the Envoy. However, because the bug effectively makes the ALTS transport socket extension unusable in relatively common use cases, we suspect that the ALTS transport socket extension has little-to-no usage.

Proof of Concept

• Start an Envoy on a GCP VM. The Envoy must listen on some port and have the ALTS transport socket extension enabled for that listener. The handshaker_service string in the extension must be set to “metadata.google.internal:8080”.
• From a GCP VM (could be the same one), attempt to establish more than 2 ALTS connections to the Envoy concurrently. The Envoy will hang or crash, and no more than 2 of the ALTS connections will succeed.

Further Analysis

We have built a fix, which is a major rewrite of the ALTS transport socket extension.

Timeline

Date reported: 08/17/2023
Date fixed:
Date disclosed: 11/15/2023