Attack type
Remote
Impact
Denial of service
Affected component(s)
gRPC health checking
Attack vector(s)
Remote, upstream hosts
Discoverer(s)/Credits
Erik Lindblad erili@spotify.com
Description (brief; included in CVE)
An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
Example exploit or proof-of-concept
- Attacker controls an upstream server that is health checked using gRPC
- Server is known to Envoy via service discovery (EDS, DNS, etc.)
- Envoy is configured to not remove upstream hosts until health check fails
- Attacker causes Envoy to mark the host for removal (remove from DNS, remove from EDS via some out of band mechanism, etc.)
- Attacker causes the upstream host to fail the gRPC health check.
- Envoy will crash.
Description (full; not included in CVE but will be published on GitHub later and linked)
Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails.
If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference.
Mitigation
Disable gRPC health checking and/or replace it with a different health checking type.
Detection
Crashes with call stacks in the gRPC health checking code.
Attack type
Remote
Impact
Denial of service
Affected component(s)
gRPC health checking
Attack vector(s)
Remote, upstream hosts
Discoverer(s)/Credits
Erik Lindblad erili@spotify.com
Description (brief; included in CVE)
An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
Example exploit or proof-of-concept
Description (full; not included in CVE but will be published on GitHub later and linked)
Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails.
If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference.
Mitigation
Disable gRPC health checking and/or replace it with a different health checking type.
Detection
Crashes with call stacks in the gRPC health checking code.