Summary
A certificate authentication bypass allows malformed certificates issued by a malicious CA to be accepted as valid for a host.
Description
The API for matching Subject Alternative Names in X.509 certificates does not take into consideration the Subject Alternative Name type. A malicious CA that issues a malformed certificate, such as encoding a DNS hostname within an rfc822Name Subject Alternative Name or an email address within a uniformResourceIndicator Subject Alternative Name, will have that certificate successfully match against the configured name. Due to the malformed nature of the certificate, this may result in bypassing configured constraints, such as nameConstraints that restrict which DNS hostnames or email addresses a CA may issue for.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, Low
Impact
This may allow for monster-in-the-middle attacks for Envoy users that rely on the X.509 nameConstraints extension to restrict the capabilities for CAs. This includes users who use common, commercially-available CAs that issue widely-trusted certificates, as they rely on nameConstraints to technically constrain subordinate CAs. Users that use enterprise-managed CAs and which do not use nameConstraints to restrict access to CAs may not be affected, as they already completely trust the CA to not issue malformed certificates.
Patches
Envoy version 1.20.1 adds the ability to specify type of SAN along with the value to match against.
IMPORTANT: Further action is required after upgrading to the patched version. Replace all usage of envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names with envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names which will ensure the matching considers the type of Subject Alternative Name in use, as well as all appropriate nameConstraints.
Workarounds
None.
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
Open an issue in Envoy repo
Email us at envoy-security
Summary
A certificate authentication bypass allows malformed certificates issued by a malicious CA to be accepted as valid for a host.
Description
The API for matching Subject Alternative Names in X.509 certificates does not take into consideration the Subject Alternative Name type. A malicious CA that issues a malformed certificate, such as encoding a DNS hostname within an rfc822Name Subject Alternative Name or an email address within a uniformResourceIndicator Subject Alternative Name, will have that certificate successfully match against the configured name. Due to the malformed nature of the certificate, this may result in bypassing configured constraints, such as nameConstraints that restrict which DNS hostnames or email addresses a CA may issue for.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, Low
Impact
This may allow for monster-in-the-middle attacks for Envoy users that rely on the X.509 nameConstraints extension to restrict the capabilities for CAs. This includes users who use common, commercially-available CAs that issue widely-trusted certificates, as they rely on nameConstraints to technically constrain subordinate CAs. Users that use enterprise-managed CAs and which do not use nameConstraints to restrict access to CAs may not be affected, as they already completely trust the CA to not issue malformed certificates.
Patches
Envoy version 1.20.1 adds the ability to specify type of SAN along with the value to match against.
IMPORTANT: Further action is required after upgrading to the patched version. Replace all usage of envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names with envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names which will ensure the matching considers the type of Subject Alternative Name in use, as well as all appropriate nameConstraints.
Workarounds
None.
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
Open an issue in Envoy repo
Email us at envoy-security