Heimdall Case-Sensitive Host Matching Vulnerability Leading to Policy Bypass

A vulnerability in Heimdall, a cloud-native Identity Aware Proxy and Access Control Decision service, allows for policy bypass due to case-sensitive host matching. This issue is present in Heimdall versions prior to 0.17.14. HTTP hostnames are inherently case-insensitive, and this mismatch can cause Heimdall to incorrectly classify requests based on the host header's letter casing. As a result, requests may be processed under unintended rules, potentially leading to unauthorized access or actions.

Impact

Exploitation of this vulnerability can bypass access control policies, allowing unauthorized access to data or functionality that should be restricted. In some cases, it could lead to privilege escalation, depending on the available features.

Reproduction

To reproduce this vulnerability, create a rule in Heimdall that matches a specific host, such as 'admin.example.com'. Ensure that the default rule is set to allow anonymous access. Then, send a request with the 'Host' header formatted in a way that differs only by case, such as 'Admin.Example.Com'. The request will be incorrectly processed, bypassing the intended access controls.

Remediation

Users should update to Heimdall version 0.17.14 or later, where this vulnerability has been fixed. Additionally, avoid configuring permissive default rules that allow anonymous access. When using 'regex' type for host matching, define expressions to be case-insensitive. For example, use '(?i)^admin\.example\.com$' to match 'Admin.Example.Com'.