Heimdall Path Normalization Vulnerability Leading to Authorization Bypass

A vulnerability in Heimdall, a cloud-native Identity Aware Proxy and Access Control Decision service, allows for authorization bypass due to improper path normalization. In versions prior to 0.17.14, Heimdall matched rules based on raw request paths, which could include dot-segment patterns that are not safely normalized. This mismatch could lead Heimdall to authorize requests for paths that, when normalized by downstream components, were processed differently. For example, a request to '/user/../admin' could be normalized to '/admin', potentially allowing unauthorized access.

Impact

Exploitation of this vulnerability can bypass access control policies, leading to unauthorized access or modification of data, invocation of functions requiring authentication or authorization, and in some cases, escalation of privileges, depending on the exposed functionality.

Reproduction

To reproduce this vulnerability, send a request to Heimdall that includes dot-segment patterns in the path, such as '/user/../admin' or its URL-encoded variants. Ensure that the request is processed by a downstream component that normalizes the path, such as Envoy, which requires additional configuration to drop unused headers. This can be done by integrating Heimdall with Envoy using 'http_service' and configuring the 'trusted_proxies' option to allow the necessary headers.

Remediation

Update Heimdall to version 0.17.14 or later, where this vulnerability has been patched. Additionally, normalize HTTP paths or reject paths containing relative expressions before they reach Heimdall. Some proxies, like Traefik, do this by default, while others, such as Envoy, may require extra configuration.