Impact
Denial of service (crash).
Affected components
Lua filter.
Attack vector/s
Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.
Description
The Lua filter can resume processing of the coroutine after we've sent a local reply due to request/response body being too large. This mitigation prevents coroutine invocation if we’re doing a local reply.
Example exploit or proof-of-concept
1 Configure a route that has Lua filter enabled.
2 Send a request with a large body that is beyond the buffer limit.
3 Have the Lua script request the request body, this will cause us to buffer the entire request body.
4 The request body buffering can go over the limit here: https://sourcegraph.com/github.com/envoyproxy/envoy@991cde892ff88b7aca04adb7fc44e14f6c0ee0fe/-/blob/source/extensions/filters/http/lua/lua_filter.cc?L263&subtree=true#tab=references and send the local reply, but the Lua filter is oblivious and continues the coroutine.
5 The Lua script kicks off a HTTP request that points to the Lua filter.
6 The Lua filter is destroyed as Envoy has completed the local reply and destroyed the related objects.
7 The HTTP request that the Lua script kicked off in step 5 has a response, and calls the Lua filter. The filter will already be destroyed, so Envoy will segfault.
Detection
Given enough traffic of this type, Envoy would be crashing especially when the body buffered is larger.
Mitigation
For versions updated with the patch, we no longer invoke the Lua coroutine if the filter has been reset.
For older unpatched versions you can mitigate by:
If your Lua filter is buffering all requests/ responses you can guard by using the buffer filter to avoid triggering the local reply in the Lua filter.
Discoverer/credit
Dan Tulovsky dant@wetsnow.com
Impact
Denial of service (crash).
Affected components
Lua filter.
Attack vector/s
Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.
Description
The Lua filter can resume processing of the coroutine after we've sent a local reply due to request/response body being too large. This mitigation prevents coroutine invocation if we’re doing a local reply.
Example exploit or proof-of-concept
1 Configure a route that has Lua filter enabled.
2 Send a request with a large body that is beyond the buffer limit.
3 Have the Lua script request the request body, this will cause us to buffer the entire request body.
4 The request body buffering can go over the limit here: https://sourcegraph.com/github.com/envoyproxy/envoy@991cde892ff88b7aca04adb7fc44e14f6c0ee0fe/-/blob/source/extensions/filters/http/lua/lua_filter.cc?L263&subtree=true#tab=references and send the local reply, but the Lua filter is oblivious and continues the coroutine.
5 The Lua script kicks off a HTTP request that points to the Lua filter.
6 The Lua filter is destroyed as Envoy has completed the local reply and destroyed the related objects.
7 The HTTP request that the Lua script kicked off in step 5 has a response, and calls the Lua filter. The filter will already be destroyed, so Envoy will segfault.
Detection
Given enough traffic of this type, Envoy would be crashing especially when the body buffered is larger.
Mitigation
For versions updated with the patch, we no longer invoke the Lua coroutine if the filter has been reset.
For older unpatched versions you can mitigate by:
If your Lua filter is buffering all requests/ responses you can guard by using the buffer filter to avoid triggering the local reply in the Lua filter.
Discoverer/credit
Dan Tulovsky dant@wetsnow.com