Istio Input Validation Vulnerability in ExcludeInterfaces Annotation Allowing Iptables Rule Injection

A vulnerability exists in Istio versions through 1.28.2, allowing the injection of iptables match parameters via the traffic.sidecar.istio.io/excludeInterfaces annotation. This annotation currently accepts arbitrary strings without proper validation, which could lead to unintended firewall behavior. While the issue may not be a direct security vulnerability—since pod creators can exclude sidecar injection entirely—it creates ambiguity in annotation usage and could result in unexpected operational effects.

Impact

The lack of validation could lead to unintended modifications in firewall behavior, allowing for potential disruption in network traffic management.

Reproduction

To reproduce this vulnerability, apply the traffic.sidecar.istio.io/excludeInterfaces annotation to a pod without validating the interface names. The annotation can accept invalid strings that could be interpreted as iptables match parameters, such as directing traffic to specific IP addresses or ports.

Remediation

Users can update to Istio version 1.29.0 or later, where this vulnerability has been addressed, to ensure proper validation of interface names in the excludeInterfaces annotation.