Attack type
Remote
Impact
Unauthorized access to endpoints protected by oauth.
Affected component(s)
Oauth protected endpoints.
Attack vector(s)
Any endpoint that’s supposed to be protected by the oauth filter.
Discoverer(s)/Credits
Weiqiu Wen ff800u@gmail.com
Description (brief; included in CVE)
The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
Example exploit or proof-of-concept
curl -v -H 'Authorization:Bearer asdfasdfasdfasd' https://<my-service>
Description (full; not included in CVE but will be published on GitHub later and linked)
The OAuth specification allows for authorization flows to be skipped as long as a valid token is present. However, validating the token is implementation specific and no such process is included within the Envoy’s open source implementation (private implementations do indeed validate the access token). This means that access tokens should be ignored and only the HMAC signed cookie should be used for authentication.
Mitigation
None.
Detection
Improper access in the access logs.
Attack type
Remote
Impact
Unauthorized access to endpoints protected by oauth.
Affected component(s)
Oauth protected endpoints.
Attack vector(s)
Any endpoint that’s supposed to be protected by the oauth filter.
Discoverer(s)/Credits
Weiqiu Wen ff800u@gmail.com
Description (brief; included in CVE)
The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
Example exploit or proof-of-concept
Description (full; not included in CVE but will be published on GitHub later and linked)
The OAuth specification allows for authorization flows to be skipped as long as a valid token is present. However, validating the token is implementation specific and no such process is included within the Envoy’s open source implementation (private implementations do indeed validate the access token). This means that access tokens should be ignored and only the HMAC signed cookie should be used for authentication.
Mitigation
None.
Detection
Improper access in the access logs.