Envoy Early CONNECT Data Forwarding Vulnerability in TCP Proxy Mode

A vulnerability exists in Envoy versions through 1.36.2 that impacts TCP proxy mode handling of CONNECT requests. Envoy forwards client data to upstream TCP connections before acknowledging the request with a 2xx response. If an upstream forwarding proxy then responds with a non-2xx status, it can lead to a de-synchronized CONNECT tunnel state. This behavior, allowed by default to maintain compatibility with existing deployments, can be problematic if upstream proxies may reject the CONNECT tunnel establishment. The issue can be mitigated by setting the 'envoy.reloadable_features.reject_early_connect_data' runtime flag to true, which will reject early CONNECT data in such scenarios.

Impact

Exploitation of this vulnerability can cause a de-synchronization of the CONNECT tunnel state, particularly if an upstream forwarding proxy responds with a non-2xx status.

Remediation

Users are advised to upgrade to Envoy versions 1.36.3, 1.35.7, 1.34.11, or 1.33.13. Additionally, the 'envoy.reloadable_features.reject_early_connect_data' runtime flag can be set to true to reject early CONNECT data, especially when upstream proxies may reject the CONNECT tunnel establishment.