Heimdall Case-Sensitive URL-Encoding Vulnerability Leading to Authorization Bypass

A vulnerability in Heimdall, a cloud-native Identity Aware Proxy and Access Control Decision service, allows for authorization bypass due to improper handling of URL-encoded slashes. In versions prior to 0.17.14, Heimdall processed encoded slashes (%2F) in a case-sensitive manner, contrary to the case-insensitive nature of percent-encoding. This issue arises when the 'allow_encoded_slashes' option is turned off, which is the default setting. The mismatch in path interpretation can lead to unauthorized access, especially if Heimdall is configured with a permissive default rule.

Impact

Exploitation of this vulnerability can bypass access control policies in Heimdall, potentially allowing unauthorized access to restricted data or functionality. In some cases, it could lead to privilege escalation, depending on the available features.

Reproduction

To reproduce this vulnerability, send a request with a URL-encoded slash using lowercase encoding (%2f) to a path that should be restricted. Ensure that Heimdall is configured with an 'allow all' default rule and that the 'allow_encoded_slashes' option is turned off. The request should be processed without the expected authorization checks, allowing access to the restricted resource.

Remediation

Users should update to Heimdall version 0.17.14 or later, and avoid using the '--insecure' flags that disable default security enforcements. It is also recommended to configure default rules to deny access by default and to reject paths with encoded slashes before they reach Heimdall.