Envoy mTLS Certificate Matcher Null Byte Vulnerability in OTHERNAME SAN

A vulnerability exists in Envoy versions through 1.36.2 in the mTLS certificate matching process for 'match_typed_subject_alt_names'. The issue arises when certificates contain an embedded null byte in an OTHERNAME SAN value, leading to incorrect validation. This flaw allows a certificate like 'victim\0evil' to be erroneously accepted as a match for the 'victim' rule.

Impact

Exploitation of this vulnerability allows for unauthorized impersonation of the matched identity, granting access to services or APIs that rely on that specific OTHERNAME verification.

Reproduction

To reproduce this vulnerability, create a CA and use it to sign a server certificate. Then, issue two client certificates from the same CA: one ('client_evil') with an OTHERNAME BMPSTRING SAN value of 'evil', and another ('client_null') with 'victim\0evil'. Configure Envoy to require client certificates and set a 'match_typed_subject_alt_names' entry for the OTHERNAME OID, matching 'victim'. When connecting with 'client_null', the connection will be accepted, despite it being an invalid match.

Remediation

Envoy versions 1.36.3, 1.35.7, 1.34.11, and 1.33.13 address this vulnerability. Users should upgrade to one of these patched versions.