Envoy Gateway Credential Leakage Vulnerability via Lua Scripts in EnvoyExtensionPolicy

A vulnerability exists in Envoy Gateway versions prior to 1.5.7 and 1.6.2, allowing EnvoyExtensionPolicy Lua scripts executed by Envoy proxy to leak the proxy's credentials. These credentials can be used to communicate with the control plane and access all secrets utilized by Envoy proxy, such as TLS private keys and credentials for downstream and upstream communication. The vulnerability arises from the ability of Lua scripts in EnvoyExtensionPolicy resources to access sensitive files, including XDS client certificates and Kubernetes service account tokens, which can lead to arbitrary code execution in the Envoy Gateway controller pod and privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized access to Envoy proxy credentials, which can be used to retrieve sensitive secrets like TLS private keys and communication credentials. Additionally, the vulnerability can be exploited to execute arbitrary code in the Envoy Gateway controller pod, potentially leading to privilege escalation.

Reproduction

To reproduce this vulnerability, create an EnvoyExtensionPolicy resource that includes a Lua script designed to read sensitive files such as TLS certificates or the Kubernetes service account token. Once the policy is applied, the Lua script will execute in the context of the Envoy proxy, allowing the leaked information to be accessed and potentially exploited.

Remediation

Users can update to Envoy Gateway versions 1.5.7 or 1.6.2, where this vulnerability has been fixed. Additionally, Kubernetes RBAC rules can be implemented to restrict the creation of EnvoyExtensionPolicy resources with Lua scripts to trusted namespaces.