Istio and Envoy Wildcard Certificate Misrouting Vulnerability

A vulnerability exists in Istio versions through 1.5.1 and Envoy versions through 1.14.1, related to improper handling of HTTP/2 connection reuse when wildcard certificates are involved. This issue can lead to misrouted requests and unintended data exposure between applications hosted on different subdomains but the same IP address. The problem arises when a connection established for a wildcard domain is reused for a specific subdomain, causing requests to be sent to the wrong application.

Impact

Exploitation of this vulnerability can cause HTTP requests to be misrouted between applications, leading to 404 errors or, in some cases, unintended data exposure. This misrouting occurs because the HTTP/2 connection reuse does not properly account for the specific subdomain being accessed, allowing requests to be sent to the wrong backend application.

Reproduction

To reproduce this vulnerability, deploy applications on two subdomains (e.g., 'a.example.com' and 'b.example.com') using the same IP address and ingress gateway. Ensure that 'a.example.com' is served with a wildcard certificate (*.example.com) and 'b.example.com' with a specific certificate. When a request is made to 'a.example.com', the connection is established and reused for 'b.example.com', causing a 404 error instead of the expected response.

Remediation

One approach to mitigate this issue is to avoid using wildcard certificates for domains that will be accessed through HTTP/2. Instead, use individual certificates for each subdomain. Additionally, Istio users can create a catch-all virtual service that responds with a 421 status code for misrouted requests, prompting the browser to establish a new connection.