Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

DoS Vulnerability Allows Easy Envoy Proxy Crashes

Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn’t implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a “zip bomb” — i.e., a malicious archive file designed to crash or render useless a program or system.

The vulnerability could thus be exploited by a malicious actor uploading a Brotli zip bomb to the server, resulting in acute performance issues.

“In most cases the machine’s memory will not be able to handle such large amounts of data and the Envoy process will eventually crash,” the JFrog blog post warned. “In most cases, before the process crashes, there will be severe performance issues due to the processor allocating a lot of resources to the decompression process.”

The blog post advised users to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, which it said would completely fix the issue. However, organizations that can’t make the upgrade are advised to prohibit their configuration from allowing Brotli decompression. This can be done by removing the Brotli decompressor in its entirety, or otherwise replacing it with the Gzip decompressor.

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, explains that open source technology is often susceptible to vulnerabilities that can be exploited using older attack vectors — like a zip-bomb for exhausting memory.

“The cloud serves many always-on applications, which often leads to a lack of patching,” McCarthy says. “CVE-2022-29225 highlights the importance of cloud exploitation research, as this attack surface is growing.”

He adds that when responsible disclosure occurs, virtual patching becomes an excellent mitigation option for attacks in the cloud.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…